Plateforme
wordpress
Composant
ap-plugin-scripteo
Corrigé dans
5.0.1
CVE-2025-46464 represents a Stored Cross-Site Scripting (XSS) vulnerability discovered within the Ads Pro Plugin for WordPress. This flaw allows authenticated attackers, possessing contributor-level access or greater, to inject malicious web scripts into pages. Successful exploitation can lead to the execution of arbitrary scripts when users access those compromised pages, potentially compromising user data or website functionality. The vulnerability affects versions of the plugin up to and including 5.0, and a fix is pending.
CVE-2025-46464 in the scripteo Ads Pro plugin represents a stored Cross-Site Scripting (XSS) vulnerability. This means an attacker can inject malicious code into web pages generated by Ads Pro, which will then execute in the browsers of users visiting those pages. The improper neutralization of user input allows this type of attack. The potential impact includes cookie theft, redirection of users to malicious websites, modification of webpage content, and execution of arbitrary code in the user's context. Versions of Ads Pro affected are from n/a up to and including 5.0. This vulnerability is particularly concerning because stored XSS can persist on the website, affecting multiple users over time.
The vulnerability is exploited by injecting malicious JavaScript code into the input fields of the Ads Pro plugin. This code is stored in the database and executed every time the webpage containing the injected code is displayed. An attacker could leverage this vulnerability to compromise user accounts, steal confidential information, or perform other malicious actions on behalf of the user. The difficulty of exploitation depends on the website's configuration and existing security measures. The lack of a fix increases the risk of exploitation.
Statut de l'Exploit
EPSS
0.14% (percentile 34%)
CISA SSVC
Vecteur CVSS
Currently, no official fix has been provided for this vulnerability. The most effective immediate mitigation is to update Ads Pro to a version later than 5.0 as soon as it becomes available. In the meantime, it is recommended to implement additional security measures, such as rigorous validation and sanitization of all user inputs before using them in web page generation. Implementing a Content Security Policy (CSP) can also help mitigate the risk of XSS by controlling the resources the browser is allowed to load. Monitoring the website for suspicious activity and performing regular security audits are recommended practices. Contacting the Ads Pro developer (scripteo) for updates on a solution is crucial.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
Stored (or persistent) XSS is a type of web security vulnerability where malicious code is stored on a server and then served to users visiting the website.
Monitor your website for unusual activity, such as unexpected redirects or modified content. Perform penetration testing to identify potential vulnerabilities.
Isolate the affected website, change all passwords, and perform a comprehensive security audit.
Several web security scanning tools can help detect XSS vulnerabilities, both stored and reflected.
A CSP is a security mechanism that allows website administrators to control the resources the browser is allowed to load, helping to prevent XSS attacks.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.