The WP AdCenter plugin includes unsanitized input handling that allows malicious JavaScript to be persisted in the database. When an attacker injects script through any plugin data field, the content is later rendered in user‑visible pages, causing the script to run in the visitor’s browser. This can enable an attacker to steal session cookies, deface the site, or execute further client‑side attacks, but the CVE description does not detail specific post‑execution outcomes. The vulnerability therefore represents a true stored XSS flaw that compromises client‑side integrity and confidentiality for anyone who views the affected pages.

The issue affects the WPeka WP AdCenter plugin for WordPress, versions through and including 2.6.1. WordPress sites that have this plugin installed and in use are at risk, particularly if the plugin’s advertisement or content fields are publicly displayed.

The CVSS score is 6.5, indicating moderate severity. The EPSS score of less than 1% indicates a low probability of exploitation, and the vulnerability is currently not listed in the CISA KEV catalog. The attack likely requires the attacker to supply malicious input via the plugin’s data interface, which is usually restricted to administrators; thus, privileged access is a prerequisite for exploitation. Once injected, the payload is served to all site visitors who view the content, creating a wide impact scope without additional network-level compromise.