Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rakessh Ads24 Lite wp-ad-management allows Reflected XSS.This issue affects Ads24 Lite: from n/a through <= 1.0.
Published: 2025-12-29
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation, allowing an attacker to inject malicious script into a page that is served to unsuspecting users. This can lead to theft of session cookies, defacement or redirection, and execution of arbitrary code in the victim’s browser. The weakness is a classic reflected XSS flaw, identified as CWE‑79.

Affected Systems

The affected vendor is Rakessh, specifically the Ads24 Lite WordPress plugin through version 1.0 inclusive. WordPress installations that have this plugin loaded and a user visits a page that passes unsanitized parameters to the plugin will be vulnerable.

Risk and Exploitability

The CVSS score of 7.1 indicates a high risk, but the EPSS score of less than 1 % shows a very low probability of exploitation at present and the vulnerability is not in the CISA KEV catalog. Likely exploitation would involve an attacker embedding a malicious script into a link that a user clicks, triggering the reflected XSS and compromising the victim’s browser. The attack could be carried out remotely without authentication, provided the site’s URL or an admin access page is publicly reachable.

Generated by OpenCVE AI on May 1, 2026 at 06:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Ads24 Lite plugin to a version later than 1.0 if a newer release is available.
  • If no patch exists, remove or deactivate the plugin to eliminate the vulnerable code.
  • Implement input validation or a Content‑Security‑Policy header to restrict execution of inline scripts as a temporary safeguard.

Generated by OpenCVE AI on May 1, 2026 at 06:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rakessh Ads24 Lite allows Reflected XSS.This issue affects Ads24 Lite: from n/a through 1.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rakessh Ads24 Lite wp-ad-management allows Reflected XSS.This issue affects Ads24 Lite: from n/a through <= 1.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 30 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Dec 2025 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rakessh Ads24 Lite allows Reflected XSS.This issue affects Ads24 Lite: from n/a through 1.0.
Title WordPress Ads24 Lite plugin <= 1.0 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:09.875Z

Reserved: 2025-01-16T11:24:55.800Z

Link: CVE-2025-23458

cve-icon Vulnrichment

Updated: 2025-12-30T15:55:49.835Z

cve-icon NVD

Status : Deferred

Published: 2025-12-30T00:15:51.447

Modified: 2026-06-17T08:54:31.960

Link: CVE-2025-23458

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T06:15:10Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')