CVE-2025-53278
BaseFortify
Publication date: 2025-06-27
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the WordPress WP AdCenter plugin up to version 2.6.0. It allows a malicious actor with contributor-level privileges to inject and execute malicious scripts, such as redirects or advertisements, on affected websites when visitors access them. This happens because the plugin improperly neutralizes input during web page generation, enabling attackers to insert harmful HTML or scripts. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability can lead to attackers executing malicious scripts on your website visitors' browsers. This can result in unwanted redirects, display of unauthorized advertisements, or other harmful actions that compromise user experience and trust. It may also lead to partial compromise of confidentiality, integrity, and availability of the affected site. However, the severity is considered low with a CVSS score of 6.5, and exploitation requires contributor-level access. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the WordPress WP AdCenter plugin version is up to and including 2.6.0, as these versions are vulnerable. Since the vulnerability allows stored XSS via contributor-level input, monitoring for suspicious script injections in plugin-related inputs or database entries can help. However, no specific detection commands are provided in the available resources. It is recommended to engage hosting providers for server-side malware scanning or professional incident response services for thorough detection, as plugin-based malware scanners may be unreliable due to potential tampering. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying virtual patching (vPatching) offered by Patchstack, which automatically protects websites from this vulnerability without an official fix. Additionally, restricting contributor-level privileges to trusted users can reduce exploitation risk. Monitoring and engaging hosting providers for server-side malware scanning or professional incident response is also recommended. Since no official patch is available, these measures provide rapid and effective protection without impacting website performance. [1]