CVE-2025-62118

The AdWords Conversion Tracking Code plugin for WordPress, versions 1.0 and earlier, contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This allows attackers with sufficient privileges to inject arbitrary JavaScript or HTML into the plugin's settings or output, which is then executed when other users or visitors access the affected pages.

Exploitation requires an authenticated user with the ability to save plugin settings, typically an administrator role. The attacker can embed malicious payloads that trigger when the settings are saved or when the generated tracking code is rendered in a browser [1]. User interaction is not needed for execution; the script runs automatically for anyone viewing the affected content.

Successful exploitation enables an attacker to perform actions such as redirecting visitors to malicious sites, injecting advertisements, or stealing sensitive information like cookies or session tokens. This could compromise the entire site and its users, especially if used in mass-exploit campaigns targeting many WordPress installations [1].

To mitigate, users should update the plugin to a patched version if available, or remove it entirely. Since no fix is confirmed for version 1.0, replacing it with an alternative tracking solution is recommended [1].