CVE-2026-2424
Received Received - Intake
Stored XSS in Reward Video Ad WordPress Plugin Allows Admin Script Injection

Publication date: 2026-03-21

Last updated on: 2026-03-21

Assigner: Wordfence

Description
The Reward Video Ad for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.6. This is due to insufficient input sanitization and output escaping on plugin settings such as the 'Account ID', 'Message before the video', and color fields. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-21
Last Modified
2026-03-21
Generated
2026-06-16
AI Q&A
2026-03-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2424
EUVD
EUVD-2026-13993
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wordfence reward_video_ad to 1.6 (inc)
applixir applixir to 1.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

[{'type': 'paragraph', 'content': "The vulnerability in the Reward Video Ad for WordPress plugin (AppLixir) is a Stored Cross-Site Scripting (XSS) issue via admin settings such as 'Account ID', 'Message before the video', and color fields. Detection involves checking if these plugin settings contain malicious scripts injected by an authenticated administrator."}, {'type': 'paragraph', 'content': "Since the vulnerability requires Administrator-level access to inject scripts, detection on the system can be done by inspecting the plugin's stored settings for suspicious or unexpected script tags or JavaScript code."}, {'type': 'paragraph', 'content': 'On the WordPress server, you can query the database options table for the plugin settings and look for suspicious content. For example, using MySQL commands:'}, {'type': 'list_item', 'content': "Run a query to check the 'applixir_settings' option for suspicious script tags or JavaScript code: SELECT option_value FROM wp_options WHERE option_name = 'applixir_settings';"}, {'type': 'list_item', 'content': 'Use grep or similar tools on exported database dumps or plugin files to search for suspicious script tags or encoded JavaScript.'}, {'type': 'paragraph', 'content': 'On the network level, detection is more challenging because the vulnerability is stored XSS triggered when users access injected pages. However, monitoring HTTP responses for unexpected inline scripts or suspicious payloads in pages served by the plugin could help.'}, {'type': 'paragraph', 'content': "No explicit detection commands are provided in the resources, but focusing on inspecting the plugin's admin settings stored in the database and monitoring web pages served by the plugin for injected scripts is recommended."}] [1, 2, 3, 5]

Mitigation Strategies

To mitigate the Stored Cross-Site Scripting vulnerability in the Reward Video Ad for WordPress plugin (AppLixir), immediate steps include:

  • Restrict Administrator-level access to trusted users only, since the vulnerability requires authenticated admin access to inject malicious scripts.
  • Review and sanitize all plugin admin settings related to 'Account ID', 'Message before the video', and color fields to remove any injected scripts or suspicious content.
  • If possible, update the plugin to a version that fixes the vulnerability. Since the vulnerability affects all versions up to and including 1.6, check for any patches or newer versions.
  • Temporarily disable or deactivate the Reward Video Ad plugin until a fix or patch is applied.
  • Implement Web Application Firewall (WAF) rules to block common XSS payloads and monitor for suspicious admin activity.

Because the vulnerability stems from insufficient input sanitization and output escaping in plugin settings, applying strict input validation and escaping in the plugin code is the ultimate fix, but this requires developer intervention.

Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-2424 is a Stored Cross-Site Scripting (XSS) vulnerability in the Reward Video Ad for WordPress plugin (also known as AppLixir) affecting all versions up to and including 1.6. The vulnerability arises because the plugin's admin settings, such as 'Account ID', 'Message before the video', and color fields, do not properly sanitize or escape input and output. This allows authenticated users with Administrator-level access or higher to inject arbitrary web scripts into plugin settings pages. These malicious scripts then execute whenever any user accesses the affected pages."}, {'type': 'paragraph', 'content': "Technically, the vulnerability is due to insufficient input sanitization and output escaping in the plugin's admin settings management, which is handled in files like settings.php. Although the plugin uses WordPress Settings API for managing options and provides a user-friendly admin interface, it fails to properly validate or sanitize certain fields, enabling stored script injection."}] [1, 2]

Impact Analysis

This vulnerability can impact you by allowing an attacker with Administrator-level access to inject malicious JavaScript code into the plugin's admin settings. Because the injected scripts are stored and executed whenever a user accesses the affected pages, this can lead to several security issues including:

  • Execution of arbitrary scripts in the context of your WordPress site.
  • Potential theft of user credentials or session cookies.
  • Unauthorized actions performed on behalf of users (e.g., privilege escalation or data manipulation).
  • Compromise of site integrity and user trust.

Since the attacker must have Administrator-level access to exploit this vulnerability, the risk is somewhat mitigated by the need for high privileges. However, if an attacker gains such access, the impact can be significant.

Compliance Impact

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2424. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart