CVE-2025-68872

Vulnerability

A reflected Cross-Site Scripting (XSS) vulnerability exists in the Eli's WordCents adSense Widget with Analytics plugin for WordPress, affecting versions 1.3.03.27 and earlier. The flaw is triggered without authentication and allows arbitrary script injection through crafted URL parameters [1].

Exploitation

An unauthenticated attacker can exploit this by crafting a malicious link that, when clicked by a privileged WordPress user (such as an administrator), executes injected JavaScript in the context of the logged-in user's session. No prior access or special privileges are required beyond user interaction [1].

Impact

Successful exploitation enables the attacker to inject malicious scripts, such as redirects, advertisements, or other HTML payloads, which are executed when visitors load the affected site. This can lead to information disclosure, session hijacking, or defacement within the scope of the WordPress admin dashboard or front-end [1].

Mitigation

No official patch has been released as of the disclosure date. Patchstack has issued a mitigation rule to block attacks until an official update is available and applied. Users are advised to update the plugin once a patched version is released or contact their hosting provider for assistance [1].