Platform
wordpress
Component
quick-adsense-reloaded
Fixed in
2.0.99
CVE-2026-2595 is a stored Cross-Site Scripting (XSS) vulnerability found in the Quads Ads Manager for Google AdSense WordPress plugin. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages, which execute when a user accesses the injected page. The vulnerability affects versions up to and including 2.0.98.1. A fix is available in version 2.0.99.
The Quads Ads Manager for Google AdSense plugin for WordPress is vulnerable to a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 2.0.98.1. This allows an authenticated attacker, with Contributor-level access or higher, to inject arbitrary web scripts into pages that will execute whenever a user accesses the injected page. The CVSS score for this vulnerability is 5.4, indicating a moderate risk. The lack of proper input sanitization and output escaping of multiple ad metadata parameters allows this injection to occur. This could lead to cookie theft, redirection to malicious websites, or actions performed on behalf of the authenticated user.
An attacker with Contributor or higher access on a website using the Quads Ads Manager plugin can exploit this vulnerability. The attacker can inject malicious JavaScript code through the ad metadata fields. Once injected, the code is stored in the database and executed whenever a user accesses the page containing the ad. The impact can vary depending on the injected code, but could include stealing sensitive information, modifying website content, or redirecting users to malicious sites. Exploitation difficulty is relatively low due to the required privileges, but the potential impact is significant.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation is to update the Quads Ads Manager for Google AdSense plugin to version 2.0.99 or later. This update includes the necessary fixes to prevent malicious script injection. Additionally, review plugin configurations and affected pages for any existing malicious code. Enforce strong password policies and enable two-factor authentication for all user accounts with administrative privileges to prevent unauthorized access. Regularly monitor server logs for suspicious activity as a proactive security measure. Consider implementing a Web Application Firewall (WAF) to further protect against XSS attacks.
Update to version 2.0.99, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
Stored XSS is a type of security vulnerability that allows attackers to inject malicious scripts into websites, which are then executed when other users visit the site.
In WordPress, a Contributor has limited permissions to publish and edit content but cannot install plugins or modify site settings.
You can update the plugin from the WordPress admin dashboard, going to Plugins > Updates. Always back up your website before performing any updates.
If you suspect your website has been compromised, change all passwords, scan the website for malware, and restore from a clean backup.
Yes, consider using strong passwords, enabling two-factor authentication, keeping software updated, and using a Web Application Firewall (WAF).
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.