Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPeka WP AdCenter wpadcenter allows Stored XSS.This issue affects WP AdCenter: from n/a through <= 2.5.8.
Published: 2025-04-01
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored cross‑site scripting vulnerability exists in the WPeka WP AdCenter WordPress plugin for versions up to and including 2.5.8. Improper neutralization of input during web page generation allows an attacker to store malicious JavaScript that executes whenever a page containing the plugin’s output is viewed, enabling session theft, defacement, or malicious redirection.

Affected Systems

WordPress sites that have the WP AdCenter plugin by WPeka installed in any version 2.5.8 or earlier are affected. No other versions are listed as vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. The EPSS score of < 1% suggests a low but non‑zero probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Attack requires that the attacker can submit or edit ad content through the plugin interface. The description does not specify the exact access level required, but it is inferred that authentication with sufficient privileges is necessary. Once inserted, the XSS payload will run for any user who loads the affected page, giving the attacker broad impact in a compromised site.

Generated by OpenCVE AI on May 1, 2026 at 11:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP AdCenter plugin to version 2.5.9 or later to apply the vendor‑provided fix.
  • If immediate upgrade is not possible, disable the creation or editing of custom scripts within the plugin to block the storage of malicious payloads.
  • Consider applying a web application firewall rule to detect and block suspicious JavaScript injections in outgoing responses.

Generated by OpenCVE AI on May 1, 2026 at 11:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9176 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPeka WP AdCenter allows Stored XSS. This issue affects WP AdCenter: from n/a through 2.5.9.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPeka WP AdCenter allows Stored XSS. This issue affects WP AdCenter: from n/a through 2.5.9. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPeka WP AdCenter wpadcenter allows Stored XSS.This issue affects WP AdCenter: from n/a through <= 2.5.8.
Title WordPress WP AdCenter plugin <= 2.5.9 - Cross Site Scripting (XSS) vulnerability WordPress WP AdCenter plugin <= 2.5.8 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 01 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPeka WP AdCenter allows Stored XSS. This issue affects WP AdCenter: from n/a through 2.5.9.
Title WordPress WP AdCenter plugin <= 2.5.9 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
Wpeka Wp Adcenter
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:14.938Z

Reserved: 2025-04-01T13:21:07.842Z

Link: CVE-2025-31860

cve-icon Vulnrichment

Updated: 2025-04-01T15:50:34.309Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T15:16:27.583

Modified: 2026-04-23T15:28:26.250

Link: CVE-2025-31860

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T11:45:16Z

Weaknesses