Skip to main content

WPAdverts EUVDEUVD-2026-41362

| CVE-2026-57366 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-02 Patchstack GHSA-qxv2-cxmc-87mq
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
6.1 MEDIUM

Unauthenticated reflected XSS (PR:N, UI:R) executing in the browser context gives S:C with low C/I impact; availability is unaffected, so A:N rather than A:L.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:18 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in WPAdverts <= 2.3.1 versions.

AnalysisAI

Reflected/unauthenticated Cross-Site Scripting in the WPAdverts WordPress classifieds plugin (versions 2.3.1 and earlier) lets a remote, unauthenticated attacker inject arbitrary JavaScript that executes in a victim's browser when they open a crafted link or view attacker-controlled input. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C) reflects a low-complexity network attack needing only user interaction, with a scope change into the browser security context. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft URL with XSS payload in WPAdverts parameter
Delivery
Deliver crafted link via phishing or malicious post
Exploit
Victim opens link on vulnerable site
Execution
Unsanitized input reflected into page
Persist
Script executes in victim browser session
Impact
Steal session or perform actions as victim

Vulnerability AssessmentAI

Exploitation Exploitation requires the target site to be running WPAdverts 2.3.1 or earlier and requires victim user interaction (UI:R) - the attacker must lure a user to open a crafted link or view attacker-supplied ad content that reaches the vulnerable, unsanitized output. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 7.1 (High) is driven by network reach, low complexity, no privileges, and a scope change (S:C) into the victim's browser context, offset by required user interaction (UI:R) and only low impact to confidentiality, integrity, and availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL to a WPAdverts-enabled page containing a malicious script payload in a reflected parameter and delivers it via phishing email, forum post, or malicious ad. When a victim (potentially a logged-in site administrator) opens the link, the script executes in their browser session, enabling session/cookie theft, CSRF-style actions, or defacement of the rendered page. …
Remediation No vendor-released patch version was identified in the available data; the input only confirms that versions 2.3.1 and earlier are affected, so administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/wpadverts/vulnerability/wordpress-wpadverts-plugin-2-3-1-cross-site-scripting-xss-vulnerability) and upgrade to the first release above 2.3.1 as soon as the maintainer publishes it. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: audit all WordPress installations for WPAdverts plugin versions 2.3.1 and earlier; identify affected systems and disable the plugin if it is not business-critical. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41362 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy