CVE-2026-9280 - Vulnerability Details

- Ad Inserter <= 2.8.15 - Reflected Cross-Site Scripting via URL Parameters in iframe Mode

Description

The Ad Inserter – Ad Manager & AdSense Ads plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL Parameters in iframe Mode in all versions up to, and including, 2.8.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Exploitation requires that iframe mode (AI_OPTION_IFRAME) is enabled on at least one ad block displayed on the targeted page, which is a non-default but supported configuration commonly used for AdSense and JavaScript-based ads.

Published: 2026-06-06

Score: 6.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Ad Inserter – Ad Manager & AdSense Ads plugin allows attackers who are not authenticated to inject arbitrary web scripts into pages that use iframe mode via unsanitized URL parameters. When a user is tricked into clicking a crafted link, the injected script runs with the privileges of the page, enabling session hijacking, defacement, or malware delivery. The vulnerability is caused by insufficient input filtering and failure to escape output, a classic reflected XSS flaw identified by CWE‑79.

Affected Systems

Any WordPress site that installs the Ad Inserter plugin from the spacetime vendor, in versions up to and including 2.8.15. The flaw exists when the plugin’s iframe mode (AI_OPTION_IFRAME) is enabled on at least one ad block displayed on a page.

Risk and Exploitability

The CVSS score of 6.1 indicates a moderate severity vulnerability. No EPSS score is provided, and the issue is not listed in the CISA KEV catalog, suggesting limited documented exploitation. However, the attack path requires only that iframe mode be turned on, a non‑default yet commonly used configuration for AdSense and JavaScript‑based ads, making the vulnerability broadly exploitable with a simple crafted link.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

spacetime

Ad Inserter – Ad Manager & AdSense Ads

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.8.15

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Ad Inserter plugin to the latest available version (post‑2.8.15) which removes the unsafe code paths for iframe mode.
If an upgrade is not immediately possible, disable iframe mode (AI_OPTION_IFRAME) or remove ad blocks that use this mode from the affected pages.
Use a web application firewall or content‑security‑policy headers to block script injection attempts and ensure that all URL parameters are validated or stripped before rendering.

Generated by OpenCVE AI on June 6, 2026 at 04:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00099.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.11/class.php#L3460
https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.11/class.php#L3462
https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.11/class.php#L3470
https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.15/class.php#L3460
https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.15/class.php#L3462
https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.15/class.php#L3470
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3552607%40ad-inserter&new=3552607%40ad-inserter&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/0d40c05d-dc30-47b1-aea5-cd2b72d4c4c0?source=cve

History

Sat, 06 Jun 2026 12:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sat, 06 Jun 2026 03:30:00 +0000

Type	Values Removed	Values Added
Description		The Ad Inserter – Ad Manager & AdSense Ads plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL Parameters in iframe Mode in all versions up to, and including, 2.8.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Exploitation requires that iframe mode (AI_OPTION_IFRAME) is enabled on at least one ad block displayed on the targeted page, which is a non-default but supported configuration commonly used for AdSense and JavaScript-based ads.
Title		Ad Inserter <= 2.8.15 - Reflected Cross-Site Scripting via URL Parameters in iframe Mode
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.11/class.php#L3460 https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.11/class.php#L3462 https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.11/class.php#L3470 https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.15/class.php#L3460 https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.15/class.php#L3462 https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.15/class.php#L3470 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3552607%40ad-inserter&new=3552607%40ad-inserter&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/0d40c05d-dc30-47b1-aea5-cd2b72d4c4c0?source=cve
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-06-06T02:28:34.218Z

Updated: 2026-06-06T11:43:59.185Z

Reserved: 2026-05-22T13:58:30.376Z

Link: CVE-2026-9280

Vulnrichment

Updated: 2026-06-06T11:43:54.614Z

NVD

Status : Received

Published: 2026-06-06T04:17:41.947

Modified: 2026-06-06T04:17:41.947

Link: CVE-2026-9280

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-06T04:30:12Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object