CVE-2026-9280

MEDIUM

Ad Inserter <= 2.8.15 - Reflected Cross-Site Scripting via URL Parameters in iframe Mode

Title source: cna

Description

The Ad Inserter – Ad Manager & AdSense Ads plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL Parameters in iframe Mode in all versions up to, and including, 2.8.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Exploitation requires that iframe mode (AI_OPTION_IFRAME) is enabled on at least one ad block displayed on the targeted page, which is a non-default but supported configuration commonly used for AdSense and JavaScript-based ads.

References (8)

Core 8

Core References

https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.15/class.php#L3460

https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.11/class.php#L3470

https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.11/class.php#L3462

https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.11/class.php#L3460

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3552607%40ad-inserter&new=3552607%40ad-inserter&sfp_email=&sfph_mail=

https://www.wordfence.com/threat-intel/vulnerabilities/id/0d40c05d-dc30-47b1-aea5-cd2b72d4c4c0?source=cve

https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.15/class.php#L3470

https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.15/class.php#L3462

Scores

CVSS v3 6.1

EPSS 0.0022

EPSS Percentile 12.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

spacetime/Ad Inserter – Ad Manager & AdSense Ads < 2.8.15

Published Jun 06, 2026

Tracked Since Jun 06, 2026