CVE-2025-62118
Lifecycle Timeline
2Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kcseopro AdWords Conversion Tracking Code adwords-conversion-tracking-code allows Stored XSS.This issue affects AdWords Conversion Tracking Code: from n/a through <= 1.0.
Analysis
Stored cross-site scripting (XSS) in the kcseopro AdWords Conversion Tracking Code WordPress plugin version 1.0 and earlier allows attackers to inject malicious scripts into web pages, which are then executed in the browsers of other users viewing affected pages. The vulnerability stems from improper input sanitization during web page generation, enabling persistent XSS attacks that can compromise user sessions, steal credentials, or redirect visitors to malicious sites. EPSS score of 0.04% indicates low exploitation probability despite the stored XSS vector.
Technical Context
This is a stored cross-site scripting vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) affecting a WordPress plugin that handles AdWords conversion tracking code. The plugin fails to properly sanitize or encode user-supplied input before rendering it into the HTML output of web pages. Stored XSS differs from reflected XSS because the malicious payload is persisted in the application (likely in the WordPress database), affecting all users who view the compromised content rather than requiring individual targeted visits. The vulnerability exists in AdWords Conversion Tracking Code versions through 1.0, suggesting the issue was present from initial release.
Affected Products
The kcseopro AdWords Conversion Tracking Code WordPress plugin is affected in all versions from initial release through version 1.0 or earlier (exact version boundaries unclear from available data). The plugin is distributed via the WordPress plugin repository and identified by CPE context as a WordPress plugin component. Affected installations are WordPress sites that have activated this plugin to embed AdWords conversion tracking functionality.
Remediation
Users of the AdWords Conversion Tracking Code plugin should immediately update to a patched version if available from the vendor; consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/adwords-conversion-tracking-code/vulnerability/wordpress-adwords-conversion-tracking-code-plugin-1-0-cross-site-scripting-xss-vulnerability?_s_id=cve for the recommended fixed version. If no patched version is published by the plugin author, consider disabling the plugin temporarily and using an alternative conversion tracking method (such as Google Tag Manager or manually implemented conversion tracking scripts with proper sanitization). Ensure all user input related to tracking code configuration is sanitized using WordPress escaping functions (wp_kses_post, sanitize_text_field) before storage and output using appropriate escaping functions (esc_html, wp_json_encode) during rendering.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today