{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2595", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-16T18:01:13.270Z", "datePublished": "2026-03-28T11:26:35.180Z", "dateUpdated": "2026-03-30T15:43:26.611Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-28T11:26:35.180Z"}, "affected": [{"vendor": "wpquads", "product": "Quads Ads Manager for Google AdSense", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "2.0.98.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Quads Ads Manager for Google AdSense plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.0.98.1 due to insufficient input sanitization and output escaping of multiple ad metadata parameters. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Quads Ads Manager for Google AdSense <= 2.0.98.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Ad Metadata Parameters", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/99051b12-5a24-4108-9ea4-81f37a1c1b35?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3467744/quick-adsense-reloaded"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2026-03-27T23:01:01.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T15:43:15.871985Z", "id": "CVE-2026-2595", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T15:43:26.611Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2595", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T15:43:15.871985Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T15:43:21.995Z"}}], "cna": {"title": "Quads Ads Manager for Google AdSense <= 2.0.98.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Ad Metadata Parameters", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "wpquads", "product": "Quads Ads Manager for Google AdSense", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.0.98.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-27T23:01:01.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/99051b12-5a24-4108-9ea4-81f37a1c1b35?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3467744/quick-adsense-reloaded"}], "descriptions": [{"lang": "en", "value": "The Quads Ads Manager for Google AdSense plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.0.98.1 due to insufficient input sanitization and output escaping of multiple ad metadata parameters. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-28T11:26:35.180Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2595", "state": "PUBLISHED", "dateUpdated": "2026-03-30T15:43:26.611Z", "dateReserved": "2026-02-16T18:01:13.270Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-28T11:26:35.180Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Quads Ads Manager for Google AdSense plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.0.98.1 due to insufficient input sanitization and output escaping of multiple ad metadata parameters. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-2595", "lastModified": "2026-03-30T13:26:07.647", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-03-28T12:16:03.850", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3467744/quick-adsense-reloaded"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/99051b12-5a24-4108-9ea4-81f37a1c1b35?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.98.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Quads Ads Manager for Google AdSense", "source": "cna", "vendor": "wpquads"}, "product": "quads_ads_manager_for_google_adsense", "vendor": "wpquads"}], "analysis": {"en": {"generated_at": "2026-03-28T12:20:36.904208+00:00", "value": {"mitigation_remediation": ["Update the Quads Ads Manager for Google AdSense plugin to the latest available version that includes the XSS fix", "If an update is not immediately possible, disable or uninstall the plugin until a patch is applied", "For sites that must keep the plugin, review user roles and limit Contributor or higher permissions so that only trusted users can add or edit ads"], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting that allows an authenticated Contributor or higher to inject and persist arbitrary JavaScript in ad metadata, which will execute in the browsers of any site visitor"}, "threat_synthesis": {"affected_systems": "All WordPress sites running the Quads Ads Manager for Google AdSense plugin in versions 2.0.98.1 or earlier are affected. Site administrators should verify that any instance of the plugin below this version, or any custom ad entry created by a Contributor or higher, is present.", "description_and_impact": "The Quads Ads Manager for Google AdSense plugin fails to sanitize or escape several ad metadata fields, enabling any authenticated user with Contributor-level access to store malicious scripts. When a page that displays the injected ad is viewed, the payload executes in the user\u2019s browser, potentially stealing session cookies, defacing content, or redirecting to malicious sites. No arbitrary code execution beyond the browser context is possible, but the impact on confidentiality and integrity of site visitors can be substantial.", "risk_and_exploitability": "The CVSS score of 5.4 indicates a moderate severity; the vulnerability depends on the attacker\u2019s ability to authenticate as a Contributor or higher, which is a permission that many sites grant to content creators. Since the attack does not require network-level access and the exploit remains in the database, it can affect all users who view any page containing the stored ad. The EPSS score is not listed, and the vulnerability is not yet recognized in the CISA KEV catalog, which suggests that exploitation may not yet be widespread but is still likely on sites with many visitors and permissive contributor roles."}}}}, "created": "2026-03-29T20:32:35.178101+00:00", "updated": "2026-03-30T06:59:43.962128+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpquads", "wpquads$PRODUCT$quads_ads_manager_for_google_adsense"]}