Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Raptive Raptive Ads adthrive-ads allows Reflected XSS.This issue affects Raptive Ads: from n/a through <= 3.7.3.
Published: 2025-04-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Raptive Ads WordPress plugin implements a reflected XSS flaw due to inadequate sanitization of user‑supplied input. An attacker can craft a malicious URL that contains arbitrary JavaScript; when a victim opens this URL the script runs inside the victim’s browser context. This can result in theft of session cookies, defacement of the site, or redirection to phishing domains, thereby compromising the confidentiality, integrity, and availability of the affected system for users.

Affected Systems

Any WordPress site that has the Raptive Ads (adthrive-ads) plugin installed at or below version 3.7.3 is vulnerable. The flaw exists in all releases from the initial distribution onward through 3.7.3, distributed by Raptive.

Risk and Exploitability

The CVSS score of 7.1 denotes medium severity, while the EPSS score of less than 1% indicates a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalogue, suggesting no known active attacks. Exploitation requires a victim to click or otherwise load the crafted URL, making it a user‑interaction based attack that does not need privileged server access but can be used in social‑engineering campaigns to compromise user sessions or inject malicious content.

Generated by OpenCVE AI on April 30, 2026 at 21:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Raptive Ads to the latest version (at least 3.7.4 or later).
  • If an upgrade is not possible, remove or disable the plugin until a patch is available.
  • Implement a content security policy that blocks execution of inline scripts to limit the impact of reflected XSS.

Generated by OpenCVE AI on April 30, 2026 at 21:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11678 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Raptive Raptive Ads allows Reflected XSS. This issue affects Raptive Ads: from n/a through 3.7.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Raptive Raptive Ads allows Reflected XSS. This issue affects Raptive Ads: from n/a through 3.7.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Raptive Raptive Ads adthrive-ads allows Reflected XSS.This issue affects Raptive Ads: from n/a through <= 3.7.3.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 17 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Raptive Raptive Ads allows Reflected XSS. This issue affects Raptive Ads: from n/a through 3.7.3.
Title WordPress Raptive Ads plugin <= 3.7.3 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Raptive Raptive Ads
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:24.061Z

Reserved: 2025-04-09T11:19:56.432Z

Link: CVE-2025-32554

cve-icon Vulnrichment

Updated: 2025-04-17T18:06:38.300Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:43.380

Modified: 2026-04-23T15:29:05.770

Link: CVE-2025-32554

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T22:00:08Z

Weaknesses