Description
The WP Google Ad Manager Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Published: 2026-01-28
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS)
Action: Patch
AI Analysis

Impact

The WP Google Ad Manager plugin contains a stored XSS flaw that allows an authenticated attacker, with administrator or higher privileges, to inject arbitrary JavaScript into the plugin’s admin settings. The vulnerable code is insufficiently sanitized and escaped, so the injected scripts are stored and subsequently executed each time a user views a page that loads the malicious admin entry. This could lead to session hijacking, defacement, or other client‑side compromise of any user who accesses the affected page (inferred).

Affected Systems

All releases of the WP Google Ad Manager plugin (distributed by miles99) up to and including version 1.1.0 are affected. The vulnerability manifests only on multi‑site WordPress installations or on installations where the WordPress capability unfiltered_html has been disabled. Non‑multisite sites with unfiltered_html enabled are not impacted.

Risk and Exploitability

The flaw has a CVSS base score of 4.4 (moderate) and an EPSS score below 1 %, indicating low exploitation likelihood at present. It is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack requires administrator‑level authentication and works only when an administrator can create or edit the plugin’s settings; it does not allow arbitrary remote code execution outside the context of the affected plugin’s pages.

Generated by OpenCVE AI on April 16, 2026 at 01:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Google Ad Manager plugin to a fixed release that includes proper input validation and output escaping.
  • If an upgrade is not immediately possible, disable the plugin on all non‑administrator sites within a multi‑site network or deactivate it entirely until a patched version is available.
  • Apply or enable a WordPress content sanitization filter (e.g., wp_kses or a security plugin) on the plugin’s admin settings to mitigate CWE‑79 by ensuring future input is escaped before storage or rendering.

Generated by OpenCVE AI on April 16, 2026 at 01:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 29 Jan 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 28 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 28 Jan 2026 11:30:00 +0000

Type Values Removed Values Added
Description The WP Google Ad Manager Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Title WP Google Ad Manager Plugin <= 1.1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Admin Settings
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:32:45.836Z

Reserved: 2026-01-23T21:34:55.715Z

Link: CVE-2026-1399

cve-icon Vulnrichment

Updated: 2026-01-28T15:51:44.230Z

cve-icon NVD

Status : Deferred

Published: 2026-01-28T12:15:53.330

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1399

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T01:30:20Z

Weaknesses