Skip to main content

WordCents adSense Widget CVE-2025-68872

| EUVDEUVD-2025-210162 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-15 Patchstack GHSA-w4qj-8jcx-gg6x
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Reflected XSS reachable over the network with no auth (PR:N) but requires victim click (UI:R); script execution in host site context yields scope change (S:C) with limited C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:44 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Eli&#039;s WordCents adSense Widget with Analytics <= 1.3.03.27 versions.

AnalysisAI

Reflected cross-site scripting in Eli's WordCents adSense Widget with Analytics WordPress plugin (versions <= 1.3.03.27) allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser when the user is lured into clicking a crafted link. The flaw stems from improper neutralization of user-supplied input (CWE-79), and while no public exploit identified at time of analysis, the scope-changing CVSS vector indicates potential for session hijacking or administrative account takeover if a logged-in WordPress admin is targeted.

Technical ContextAI

The affected component is a WordPress plugin (CPE: cpe:2.3:a:eli:eli's_wordcents_adsense_widget_with_analytics) that integrates Google AdSense ad units with analytics tracking into WordPress sites. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-controllable input is reflected back into HTTP responses without proper output encoding or input sanitization. Because WordPress plugins execute within the trusted DOM context of the host site, injected scripts inherit cookies, nonces, and admin privileges of the viewing user - a particularly dangerous combination when an authenticated administrator triggers the payload.

RemediationAI

No vendor-released patch identified at time of analysis - the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/wordcents/vulnerability/wordpress-eli-s-wordcents-adsense-widget-with-analytics-plugin-1-3-03-27-reflected-cross-site-scripting-xss-vulnerability) lists only the vulnerable upper bound 1.3.03.27 without a confirmed fixed version. Given the plugin appears unmaintained, the most reliable mitigation is to deactivate and uninstall the WordCents plugin entirely and replace it with an actively maintained AdSense integration (trade-off: loss of any custom analytics configuration tied to this plugin). As a compensating control, deploy a Web Application Firewall (Patchstack, Wordfence, or equivalent) with a virtual patch rule for this CVE to block reflected XSS payloads targeting the plugin's endpoints (trade-off: WAF rules may be bypassed by encoding tricks and require ongoing tuning), and enforce a strict Content-Security-Policy header on the WordPress site to limit inline script execution (trade-off: may break legitimate inline scripts in themes or other plugins).

Share

CVE-2025-68872 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy