Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Padam Shankhadev Ps Ads Pro ps-ads-pro allows Reflected XSS.This issue affects Ps Ads Pro: from n/a through <= 1.0.0.
Published: 2025-03-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An input validation flaw in the WordPress Ps Ads Pro plugin allows reflected cross‑site scripting. The flaw occurs when user‑supplied data is incorporated into the web page without proper sanitization, enabling an attacker to inject malicious scripts that run in the victim’s browser. This could lead to session hijacking, defacement, or theft of user credentials for the compromised site.

Affected Systems

The vulnerability affects all installations of the Ps Ads Pro plugin from the earliest version through version 1.0.0. The plugin is distributed by Padam Shankhadev and is used on WordPress sites that have not upgraded beyond the listed maximum version.

Risk and Exploitability

The CVSS score is 7.1, indicating a high severity vulnerability. The EPSS score of less than 1% shows that the probability of exploitation is low but not negligible; the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to drive a user to a crafted URL that contains malicious input; the script then executes in the context of the website, potentially affecting any users who view the vulnerable page. The attack vector is inferred as web‑based, and exploitation does not require any special privileges beyond access to the affected WordPress site.

Generated by OpenCVE AI on May 2, 2026 at 03:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ps Ads Pro to a version that contains the XSS fix.
  • If an upgrade cannot be performed immediately, deactivate the plugin to eliminate the attack surface while monitoring for official patches.
  • Implement a Web Application Firewall or adjust the Content‑Security‑Policy header to block the execution of inline scripts originating from user input.
  • Ensure all user‑provided content on the site is properly encoded or filtered before rendering.

Generated by OpenCVE AI on May 2, 2026 at 03:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5696 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Ps Ads Pro allows Reflected XSS. This issue affects Ps Ads Pro: from n/a through 1.0.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Ps Ads Pro allows Reflected XSS. This issue affects Ps Ads Pro: from n/a through 1.0.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Padam Shankhadev Ps Ads Pro ps-ads-pro allows Reflected XSS.This issue affects Ps Ads Pro: from n/a through <= 1.0.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 04 Mar 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 03 Mar 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Ps Ads Pro allows Reflected XSS. This issue affects Ps Ads Pro: from n/a through 1.0.0.
Title WordPress Ps Ads Pro plugin <= 1.0.0 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T23:52:48.363Z

Reserved: 2025-01-16T11:29:21.051Z

Link: CVE-2025-23738

cve-icon Vulnrichment

Updated: 2025-03-04T20:29:16.753Z

cve-icon NVD

Status : Deferred

Published: 2025-03-03T14:15:46.157

Modified: 2026-06-17T08:56:48.703

Link: CVE-2025-23738

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T04:00:13Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')