Impact
The vulnerability is an unauthenticated Cross Site Scripting (XSS) flaw in the WPAdverts plugin for WordPress. The plugin processes user supplied data without validating or escaping the output, allowing an attacker to inject malicious JavaScript that is rendered in a visitor’s browser. Because the flaw is client‑side, it can affect only site visitors who view the altered content; it does not grant server‑side compromise or control over the WordPress installation.
Affected Systems
The flaw is present in all releases of the WPAdverts plugin by Greg Winiarski with a version number up to and including 2.3.1. Any WordPress site that has this plugin installed in that version range is potentially vulnerable.
Risk and Exploitability
The CVSS score of 7.1 indicates a high‑severity client‑side vulnerability. No EPSS score is available, so exploitation probability is uncertain. The vulnerability is not listed in the CISA KEV catalog and no public exploits have been reported. As the flaw is unauthenticated, an external user can attempt exploitation by sending crafted input to the plugin’s form or link endpoints, resulting in script execution for visitors to the site.
OpenCVE Enrichment