CVE-2026-2595
Stored XSS in Quads Ads Manager Plugin Allows Script Injection
Publication date: 2026-03-28
Last updated on: 2026-03-28
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| quads | ads_manager | to 2.0.98.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-2595 is a vulnerability in the Quads Ads Manager for Google AdSense WordPress plugin, affecting versions up to and including 2.0.98.1. It is a Stored Cross-Site Scripting (XSS) issue caused by insufficient input sanitization and output escaping of multiple ad metadata parameters.
This vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These scripts execute whenever a user accesses the injected page, potentially compromising the security and integrity of the site.
The vulnerability was fixed in version 2.0.99 by sanitizing or restricting CSS injection via Ad Meta Parameters, preventing unauthorized CSS injection that could lead to XSS or UI manipulation.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers with Contributor-level access or above to inject malicious scripts into your WordPress site pages via the Quads Ads Manager plugin.
Such injected scripts can execute in the context of users visiting the affected pages, potentially leading to theft of user data, session hijacking, defacement, or manipulation of the user interface.
Because the vulnerability requires authenticated access, it poses a risk primarily from insiders or compromised accounts with sufficient privileges.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves stored cross-site scripting via ad metadata parameters in the Quads Ads Manager for Google AdSense WordPress plugin versions up to 2.0.98.1. Detection involves identifying if the vulnerable plugin version is installed and if any ad metadata parameters contain injected scripts.
You can check the installed plugin version in your WordPress environment by running the following WP-CLI command:
- wp plugin list --status=active | grep quads
To detect potential malicious scripts injected via ad metadata parameters, you can search the WordPress database for suspicious script tags or unusual CSS in the posts or options tables. For example, using MySQL commands:
- SELECT * FROM wp_posts WHERE post_content LIKE '%<script>%';
- SELECT * FROM wp_options WHERE option_value LIKE '%<script>%';
Additionally, monitoring HTTP responses for unexpected inline scripts or CSS related to ads can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the Quads Ads Manager for Google AdSense plugin to version 2.0.99 or later, where the vulnerability has been fixed by sanitizing and restricting CSS injection via Ad Meta Parameters.
If immediate updating is not possible, restrict Contributor-level and higher user permissions to trusted users only, as the vulnerability requires authenticated users with at least Contributor access.
Review and sanitize any ad metadata parameters manually to remove injected scripts or CSS.
Monitor your WordPress site for unusual behavior related to ads or UI manipulation, and consider temporarily disabling the plugin if exploitation is suspected.