WWordPress Vulnerability Database

Community Alert Hong Kong AdCenter XSS Risk(CVE202410113)

Cross Site Scripting (XSS) in WordPress WP AdCenter Plugin
0
Shares
0
0
0
0
Plugin Name WP AdCenter
Type of Vulnerability Cross-Site Scripting (XSS)
CVE Number CVE-2024-10113
Urgency Low
CVE Publish Date 2026-02-03
Source URL CVE-2024-10113

WP AdCenter (≤ 2.5.7) — Authenticated Contributor Stored XSS (CVE-2024-10113): What site owners need to know

From a Hong Kong security expert: concise, pragmatic guidance for administrators and developers. Treat stored XSS seriously — act quickly and methodically.

TL;DR

  • What: Stored Cross‑Site Scripting (XSS) in the WP AdCenter plugin (versions ≤ 2.5.7). Tracked as CVE‑2024‑10113.
  • Who can exploit it: An authenticated Contributor (or higher) can create ad content containing script payloads that are later rendered to visitors or admins.
  • Risk: CVSS 6.5 (medium). Exploitation requires an authenticated contributor and generally some user interaction or an admin viewing the infected content.
  • Immediate fix: Update WP AdCenter to version 2.5.8 or later.
  • If you cannot update immediately: deactivate the plugin, restrict contributor capabilities, remove/sanitize ad content, apply server-side request filtering (WAF/virtual patch) where available, and perform forensic checks.

1. What happened — quick overview

A stored Cross‑Site Scripting (XSS) vulnerability was found in WP AdCenter (versions up to and including 2.5.7). The plugin accepts ad HTML via shortcodes or its ad manager and outputs parts of that content on public pages. Certain input fields were stored and rendered without sufficient sanitization/escaping, allowing an authenticated Contributor to embed JavaScript. When the ad is rendered, the browser executes the script in the visitor’s context.

  • Vulnerability class: Stored XSS
  • Affected versions: ≤ 2.5.7
  • Fixed in: 2.5.8
  • Required privilege: Contributor (authenticated)
  • CVSS: 6.5
  • CVE: CVE‑2024‑10113

2. Why stored XSS is dangerous — even from a Contributor

Stored XSS persists on the site and can affect any visitor or administrator who loads a page containing the malicious content. Consequences include:

  • Cookie/session theft and remote takeover of admin sessions.
  • Actions performed in the context of an authenticated user (post creation, settings changes).
  • Phishing prompts, fake login forms, or persistent defacement visible to users.
  • Delivery of secondary payloads (malware, redirects, cryptominers).
  • Pivoting via browser extensions or other client-side trust relationships.

Because admins and editors have higher privileges, an attacker who can get an admin to view the infected ad can escalate impact quickly. Even if Contributors cannot manage plugins, stored XSS can be used in attack chains to compromise site integrity.

3. Root cause (technical, high level)

The plugin allowed untrusted ad HTML to be saved and later rendered without properly escaping or sanitizing. Key points:

  • Ad HTML fields were stored verbatim instead of being sanitized on input.
  • Rendering functions output raw HTML into pages, permitting