Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Reflected XSS reachable over the network with no auth (PR:N) but requires victim click (UI:R); script execution in host site context yields scope change (S:C) with limited C/I/A impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in Eli's WordCents adSense Widget with Analytics <= 1.3.03.27 versions.
AnalysisAI
Reflected cross-site scripting in Eli's WordCents adSense Widget with Analytics WordPress plugin (versions <= 1.3.03.27) allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser when the user is lured into clicking a crafted link. The flaw stems from improper neutralization of user-supplied input (CWE-79), and while no public exploit identified at time of analysis, the scope-changing CVSS vector indicates potential for session hijacking or administrative account takeover if a logged-in WordPress admin is targeted.
Technical ContextAI
The affected component is a WordPress plugin (CPE: cpe:2.3:a:eli:eli's_wordcents_adsense_widget_with_analytics) that integrates Google AdSense ad units with analytics tracking into WordPress sites. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-controllable input is reflected back into HTTP responses without proper output encoding or input sanitization. Because WordPress plugins execute within the trusted DOM context of the host site, injected scripts inherit cookies, nonces, and admin privileges of the viewing user - a particularly dangerous combination when an authenticated administrator triggers the payload.
RemediationAI
No vendor-released patch identified at time of analysis - the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/wordcents/vulnerability/wordpress-eli-s-wordcents-adsense-widget-with-analytics-plugin-1-3-03-27-reflected-cross-site-scripting-xss-vulnerability) lists only the vulnerable upper bound 1.3.03.27 without a confirmed fixed version. Given the plugin appears unmaintained, the most reliable mitigation is to deactivate and uninstall the WordCents plugin entirely and replace it with an actively maintained AdSense integration (trade-off: loss of any custom analytics configuration tied to this plugin). As a compensating control, deploy a Web Application Firewall (Patchstack, Wordfence, or equivalent) with a virtual patch rule for this CVE to block reflected XSS payloads targeting the plugin's endpoints (trade-off: WAF rules may be bypassed by encoding tricks and require ongoing tuning), and enforce a strict Content-Security-Policy header on the WordPress site to limit inline script execution (trade-off: may break legitimate inline scripts in themes or other plugins).
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210162
GHSA-w4qj-8jcx-gg6x