CVE-2026-2424
Stored XSS in Reward Video Ad WordPress Plugin Allows Admin Script Injection
Publication date: 2026-03-21
Last updated on: 2026-03-21
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | reward_video_ad | to 1.6 (inc) |
| applixir | applixir | to 1.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-2424 is a Stored Cross-Site Scripting (XSS) vulnerability in the Reward Video Ad for WordPress plugin (also known as AppLixir) affecting all versions up to and including 1.6. The vulnerability arises because the plugin's admin settings, such as 'Account ID', 'Message before the video', and color fields, do not properly sanitize or escape input and output. This allows authenticated users with Administrator-level access or higher to inject arbitrary web scripts into plugin settings pages. These malicious scripts then execute whenever any user accesses the affected pages."}, {'type': 'paragraph', 'content': "Technically, the vulnerability is due to insufficient input sanitization and output escaping in the plugin's admin settings management, which is handled in files like settings.php. Although the plugin uses WordPress Settings API for managing options and provides a user-friendly admin interface, it fails to properly validate or sanitize certain fields, enabling stored script injection."}] [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "The vulnerability in the Reward Video Ad for WordPress plugin (AppLixir) is a Stored Cross-Site Scripting (XSS) issue via admin settings such as 'Account ID', 'Message before the video', and color fields. Detection involves checking if these plugin settings contain malicious scripts injected by an authenticated administrator."}, {'type': 'paragraph', 'content': "Since the vulnerability requires Administrator-level access to inject scripts, detection on the system can be done by inspecting the plugin's stored settings for suspicious or unexpected script tags or JavaScript code."}, {'type': 'paragraph', 'content': 'On the WordPress server, you can query the database options table for the plugin settings and look for suspicious content. For example, using MySQL commands:'}, {'type': 'list_item', 'content': "Run a query to check the 'applixir_settings' option for suspicious script tags or JavaScript code: SELECT option_value FROM wp_options WHERE option_name = 'applixir_settings';"}, {'type': 'list_item', 'content': 'Use grep or similar tools on exported database dumps or plugin files to search for suspicious script tags or encoded JavaScript.'}, {'type': 'paragraph', 'content': 'On the network level, detection is more challenging because the vulnerability is stored XSS triggered when users access injected pages. However, monitoring HTTP responses for unexpected inline scripts or suspicious payloads in pages served by the plugin could help.'}, {'type': 'paragraph', 'content': "No explicit detection commands are provided in the resources, but focusing on inspecting the plugin's admin settings stored in the database and monitoring web pages served by the plugin for injected scripts is recommended."}] [1, 2, 3, 5]
What immediate steps should I take to mitigate this vulnerability?
To mitigate the Stored Cross-Site Scripting vulnerability in the Reward Video Ad for WordPress plugin (AppLixir), immediate steps include:
- Restrict Administrator-level access to trusted users only, since the vulnerability requires authenticated admin access to inject malicious scripts.
- Review and sanitize all plugin admin settings related to 'Account ID', 'Message before the video', and color fields to remove any injected scripts or suspicious content.
- If possible, update the plugin to a version that fixes the vulnerability. Since the vulnerability affects all versions up to and including 1.6, check for any patches or newer versions.
- Temporarily disable or deactivate the Reward Video Ad plugin until a fix or patch is applied.
- Implement Web Application Firewall (WAF) rules to block common XSS payloads and monitor for suspicious admin activity.
Because the vulnerability stems from insufficient input sanitization and output escaping in plugin settings, applying strict input validation and escaping in the plugin code is the ultimate fix, but this requires developer intervention.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker with Administrator-level access to inject malicious JavaScript code into the plugin's admin settings. Because the injected scripts are stored and executed whenever a user accesses the affected pages, this can lead to several security issues including:
- Execution of arbitrary scripts in the context of your WordPress site.
- Potential theft of user credentials or session cookies.
- Unauthorized actions performed on behalf of users (e.g., privilege escalation or data manipulation).
- Compromise of site integrity and user trust.
Since the attacker must have Administrator-level access to exploit this vulnerability, the risk is somewhat mitigated by the need for high privileges. However, if an attacker gains such access, the impact can be significant.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know