Description
The Reward Video Ad for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.6. This is due to insufficient input sanitization and output escaping on plugin settings such as the 'Account ID', 'Message before the video', and color fields. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-03-21
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS
Action: Immediate Patch
AI Analysis

Impact

A stored cross‑site scripting flaw exists in the Reward Video Ad for WordPress plugin through unfiltered admin settings such as the Account ID, pre‑video message, and color options. This weakness allows an attacker with Administrator or higher privileges to embed malicious scripts that will run whenever any visitor loads a page containing the injected settings, potentially defacing the site, stealing cookies, or hijacking sessions. The flaw is classified as CWE‑79 and raises concerns over confidentiality and integrity for users who interact with the compromised site.

Affected Systems

Organizations running the Reward Video Ad for WordPress plugin by applixir on any version up to and including 1.6 are affected. The vulnerability manifests when the plugin’s settings are edited via the WordPress admin dashboard; all WordPress installations that include this plugin version inherit the risk.

Risk and Exploitability

The CVSS score is 4.4, indicating a moderate risk level. The EPSS score is unavailable, and the vulnerability is not listed in the CISA KEV catalog, suggesting it is not yet widely exploited. Exploitation requires authenticated Administrator access, which means only users with legitimate admin credentials or compromised admin accounts can deploy the payload. Once the script is stored, it will execute on every page load, making the impact persistent while the plugin remains installed.

Generated by OpenCVE AI on March 21, 2026 at 06:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Reward Video Ad for WordPress plugin to a version newer than 1.6 or remove the plugin if it is not required.
  • After upgrading, clear any residual settings to ensure that previously injected scripts are not retained.
  • If an upgrade is not immediately possible, limit administrator logins to essential accounts, enforce two‑factor authentication, and consider disabling the affected settings until a patch is available.
  • Monitor site traffic and user sessions for any signs of unexpected JavaScript execution or session theft.

Generated by OpenCVE AI on March 21, 2026 at 06:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Applixir
Applixir reward Video Ad For Wordpress
Wordpress
Wordpress wordpress
Vendors & Products Applixir
Applixir reward Video Ad For Wordpress
Wordpress
Wordpress wordpress

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The Reward Video Ad for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.6. This is due to insufficient input sanitization and output escaping on plugin settings such as the 'Account ID', 'Message before the video', and color fields. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Reward Video Ad for WordPress <= 1.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via Admin Settings
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Applixir Reward Video Ad For Wordpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:48:28.823Z

Reserved: 2026-02-12T20:26:12.791Z

Link: CVE-2026-2424

cve-icon Vulnrichment

Updated: 2026-03-23T15:07:46.535Z

cve-icon NVD

Status : Deferred

Published: 2026-03-21T04:16:59.067

Modified: 2026-04-22T21:32:08.360

Link: CVE-2026-2424

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:42:20Z

Weaknesses