CVE-2025-62984

WP AdCenter (WordPress plugin) versions through 2.6.1 are vulnerable to a Stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-62984. The root cause is improper neutralization of user-supplied input during web page generation, meaning that input fields or settings handled by the plugin do not sanitize or escape certain content before storing it in the database.

Attack

Vector and Requirements An attacker with authenticated access (at most a contributor or similar low-privileged role) can inject arbitrary HTML or JavaScript payloads into the plugin's storage. Successful exploitation requires that an administrative user performs an action—such as clicking a crafted link or visiting a prepared page—that loads the stored malicious content, triggering the script execution in the context of the admin's session [1].

Impact

If exploited, the attacker can inject scripts that, when executed, may perform actions like redirecting visitors to malicious sites, displaying unwanted advertisements, or stealing session cookies. Since the payload is stored, it affects all visitors who access the compromised page, not just the initial victim, amplifying the potential reach [1].

Mitigation

The vulnerability exists in all versions up to and including 2.6.1. The recommended immediate action is to update the WP AdCenter plugin to the latest patched version. If updating is not possible, users should contact their hosting provider or a web developer to apply temporary workarounds. The vulnerability has been reported to Patchstack and is considered used in mass-exploit campaigns, so prompt remediation is advised [1].