CVE-2025-62984 identifies a stored cross-site scripting (XSS) vulnerability in the WPeka WP AdCenter WordPress plugin, affecting versions up to and including 2.6.1. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows malicious scripts to be stored and later executed in the context of users visiting the affected site. Stored XSS is particularly dangerous because the malicious payload persists on the server and can affect multiple users without requiring repeated exploitation. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L) indicates that the attack can be performed remotely over the network with low attack complexity, requires low privileges (authenticated user), and user interaction (such as clicking a link or viewing a page). The scope is changed, meaning the vulnerability affects resources beyond the vulnerable component. The impact includes limited confidentiality loss (e.g., theft of session cookies), integrity loss (e.g., content manipulation), and availability loss (e.g., script-induced disruptions). No public exploits are known at this time, but the vulnerability is publicly disclosed and should be addressed promptly. The lack of available patches at the time of disclosure necessitates interim mitigations. WP AdCenter is a plugin used to manage advertisements within WordPress sites, often deployed by businesses relying on online advertising revenue or marketing. The vulnerability could be leveraged by attackers to compromise site visitors or administrators, potentially leading to broader attacks such as privilege escalation or data theft.

The vulnerability allows attackers to inject persistent malicious scripts that execute in the browsers of users visiting the affected WordPress sites. This can lead to session hijacking, theft of sensitive information, defacement of web content, or redirection to malicious sites. For organizations, this can result in reputational damage, loss of customer trust, and potential regulatory penalties if user data is compromised. The requirement for low privileges and user interaction lowers the barrier for exploitation within organizations that allow user-generated content or have multiple authenticated users. The scope change means that the impact can extend beyond the plugin itself, affecting the entire WordPress site and potentially other integrated systems. Although no known exploits are currently active, the public disclosure increases the risk of future attacks. Organizations relying on WP AdCenter for advertising management are particularly vulnerable, especially those with high traffic or sensitive user bases.

Organizations should monitor WPeka’s official channels for patches addressing this vulnerability and apply them immediately upon release. Until patches are available, implement strict input validation and output encoding on all user-supplied data within the WP AdCenter plugin context to prevent script injection. Employ Web Application Firewalls (WAFs) with rules targeting XSS payloads to provide an additional protective layer. Limit user privileges to the minimum necessary, especially for users who can submit content or interact with the plugin. Conduct regular security audits and penetration testing focused on input handling in WordPress plugins. Educate users and administrators about the risks of clicking suspicious links or interacting with untrusted content. Consider temporarily disabling or replacing WP AdCenter if the risk is unacceptable and no patch is available. Maintain comprehensive logging and monitoring to detect any anomalous activity that could indicate exploitation attempts.