Improper neutralization of user input during web page generation in the WP‑Revive Adserver plugin allows stored cross‑site scripting attackers to execute malicious scripts in the context of any site visitor who loads an affected ad. The flaw is a classic stored XSS (CWE‑79) that occurs when ad content entered through the plugin’s interface is rendered without escaping. An attacker can embed JavaScript that will run in blogs where the affected plugin is active, enabling cookie theft, session hijacking, defacement, or drive‑by downloads.

SteveSoehl’s WP‑Revive Adserver plugin versions up to and including 2.2.1 are affected. All installations using these or earlier revisions must check their current version and assess whether the plugin is present on the WordPress instance.

The CVSS score of 6.5 indicates moderate severity, and the EPSS of less than 1% suggests a low probability of exploitation at this time, while the vulnerability is not listed in CISA’s KEV catalog. The XSS vector is likely through the plugin’s ad creation or editing pages, requiring a user role that has permission to add or edit ads. If the site allows untrusted users to create content via this plugin, the risk is higher; otherwise, restricting capability or disabling the plugin can mitigate the risk until a patch is applied.