CVE-2025-5085
Stored XSS in WP Nano AD WordPress Plugin
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | wp_nano_ad | to 1.31 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The WP Nano AD WordPress plugin version 1.31 and earlier contains a stored Cross-Site Scripting (XSS) vulnerability in the 'blogrole_link' parameter.
This vulnerability arises because user input in the 'blogrole_link' parameter is not properly sanitized or escaped before being stored in the database.
An authenticated attacker with administrator-level access can inject malicious scripts via this parameter, which then execute whenever a user views the affected page.
This issue specifically affects multi-site WordPress installations or those where the 'unfiltered_html' capability has been disabled.
How can this vulnerability impact me? :
This vulnerability allows an attacker with admin privileges to inject and store malicious scripts that execute in the browsers of users who visit the affected pages.
The impact includes potential theft of user credentials, session hijacking, defacement, or redirection to malicious sites.
Because the attack is stored, the malicious script persists and affects all users who access the injected content.
The CVSS score of 5.5 indicates a medium severity, with the attack requiring administrator privileges but no user interaction.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of malicious scripts injected via the 'blogrole_link' parameter in the WP Nano AD plugin's stored data. Specifically, an authenticated administrator can test by submitting a payload such as <script>alert(1)</script> in the 'link url' field when creating or editing a record in the plugin's interface.
To detect exploitation attempts or presence of the vulnerability, you can monitor HTTP POST requests to the route /wp-admin/admin.php?page=wp_nano_ads_all_links&id=1&what=edit for suspicious input in the 'blogrole_link' parameter.
Example command to detect suspicious payloads in web server logs (assuming Apache logs):
- grep -i 'blogrole_link=.*<script' /var/log/apache2/access.log
Additionally, you can use curl to simulate a POST request with a test payload to see if the plugin is vulnerable:
- curl -X POST -d 'blogrole_link=<script>alert(1)</script>' 'https://yourwordpresssite.com/wp-admin/admin.php?page=wp_nano_ads_all_links&id=1&what=edit' --cookie 'wordpress_logged_in=your_auth_cookie'
Note that this requires administrator-level authentication and access to the WordPress admin interface.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Disable or uninstall the WP Nano AD plugin, especially since it is no longer maintained and temporarily removed from the WordPress plugin repository.
- Restrict administrator access to trusted users only, as exploitation requires administrator-level privileges.
- If multi-site installations are used, consider disabling or restricting the plugin usage there, since the vulnerability affects multi-site setups.
- Avoid disabling unfiltered_html capability for trusted administrators, as the vulnerability only affects installations where unfiltered_html is disabled.
- Monitor and audit the plugin's stored data for any injected scripts and remove any suspicious entries.
Long term, wait for a patched version of the plugin or consider alternative plugins that are actively maintained and secure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a stored Cross-Site Scripting (XSS) issue that allows authenticated administrators to inject arbitrary scripts that execute when users access affected pages.
Such vulnerabilities can potentially lead to unauthorized access to user data or session hijacking, which may impact the confidentiality and integrity of personal data.
However, the provided information does not explicitly describe any direct impact or assessment related to compliance with standards like GDPR or HIPAA.