The Quads Ads Manager for Google AdSense plugin fails to sanitize or escape several ad metadata fields, enabling any authenticated user with Contributor-level access to store malicious scripts. When a page that displays the injected ad is viewed, the payload executes in the user’s browser, potentially stealing session cookies, defacing content, or redirecting to malicious sites. No arbitrary code execution beyond the browser context is possible, but the impact on confidentiality and integrity of site visitors can be substantial.

All WordPress sites running the Quads Ads Manager for Google AdSense plugin in versions 2.0.98.1 or earlier are affected. Site administrators should verify that any instance of the plugin below this version, or any custom ad entry created by a Contributor or higher, is present.

The CVSS score of 5.4 indicates a moderate severity; the vulnerability depends on the attacker’s ability to authenticate as a Contributor or higher, which is a permission that many sites grant to content creators. Since the attack does not require network-level access and the exploit remains in the database, it can affect all users who view any page containing the stored ad. The EPSS score is not listed, and the vulnerability is not yet recognized in the CISA KEV catalog, which suggests that exploitation may not yet be widespread but is still likely on sites with many visitors and permissive contributor roles.