The AdsMiddle plugin for WordPress contains a reflected cross‑site scripting flaw that allows an attacker to inject arbitrary JavaScript into pages returned to the victim. This flaw is caused by improper neutralization of user‑controlled input when the plugin generates content. Because the payload is reflected, an attacker can trigger the vulnerability simply by crafting a malicious URL and encouraging a user to visit it. Successful exploitation can execute arbitrary code within the victim’s browser, enabling session hijacking, credential theft, or defacement of the authenticated session.

All installations of the AdsMiddle plugin version 1.0 and earlier, developed by wjharil, are impacted. The vulnerability exists in every build up to 1.0, so any WordPress site running that code is vulnerable unless the plugin has been upgraded beyond that version.

The CVSS score of 7.1 indicates a high severity, while the EPSS score of less than 1% suggests that exploitation is currently rare. The issue is not listed in the CISA KEV catalog, implying no known widespread attacks. The attack vector is likely phishing or malicious link delivery, requiring the victim to click a crafted URL. While the flaw requires user interaction, a well‑crafted social engineering campaign could compromise many users’ sessions and privacy.