CVE-2025-53319

The Raptive Ads (adthrive-ads) WordPress plugin up to version 3.8.0 is vulnerable to a reflected cross-site scripting (XSS) attack due to improper neutralization of user-supplied input during web page generation [1]. This flaw allows an attacker to inject arbitrary HTML and JavaScript code that is reflected back to the user's browser. Exploitation requires a privileged user (e.g., admin) to interact with a crafted link or submit a malicious form [1]. The attacker can trigger the XSS by tricking the victim into clicking a specially crafted URL or visiting a page containing the malicious payload. If exploited, an attacker could execute arbitrary scripts within the victim's browser session, potentially leading to session hijacking, redirection to malicious sites, or injection of unwanted advertisements [1]. The vulnerability has a CVSS score of 7.1 (High) and is considered likely to be targeted in mass-exploit campaigns. The vulnerability has been addressed in version 3.9.0 of the plugin. Users are strongly advised to update immediately or enable auto-update if using Patchstack [1]. No virtual patch is available due to the nature of the vulnerability, so updating is the primary mitigation.