VYPR
← All advisories
Medium severity6.4NVD Advisory· Published Oct 22, 2025· Updated Apr 15, 2026

CVE-2025-11827

CVE-2025-11827

Description

The Oboxmedia Ads plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before_widget' and 'after_widget' parameters of the oboxads-ad-widget shortcode in all versions up to, and including, 1.9.8. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The Oboxmedia Ads plugin for WordPress <=1.9.8 has a stored XSS vulnerability via shortcode parameters, allowing authenticated contributors to inject arbitrary scripts.

Vulnerability

Overview The Oboxmedia Ads plugin for WordPress, in all versions up to and including 1.9.8, is vulnerable to Stored Cross-Site Scripting (XSS). The vulnerability exists in the 'oboxads-ad-widget' shortcode, specifically in the 'before_widget' and 'after_widget' parameters, due to insufficient input sanitization and output escaping. This allows attackers to inject arbitrary web scripts that are stored and executed when pages are accessed.

Exploitation

Conditions To exploit this vulnerability, an attacker must have at least contributor-level access to the WordPress site. The attacker can then craft a shortcode with malicious JavaScript in the parameters, which will be stored and executed whenever a user views the compromised page.

Impact and

Mitigation Successful exploitation leads to arbitrary script execution in the context of the victim's browser, potentially enabling data theft, session hijacking, or defacement. As of October 17, 2025, the plugin has been closed on the WordPress plugin directory due to this security issue [1]. No patched version is available; users should remove or replace the plugin to mitigate the risk.

References
  1. Oboxmedia Ads

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.