CVE-2025-62984 is a stored Cross-site Scripting (XSS) vulnerability found in the WPeka WP AdCenter plugin for WordPress, affecting all versions up to and including 2.6.1. The vulnerability stems from improper neutralization of user-supplied input during web page generation, which allows an attacker with at least low-level privileges (PR:L) to inject malicious scripts that are stored persistently on the website. These scripts execute in the context of other users who view the affected pages, potentially leading to session hijacking, privilege escalation, or unauthorized actions. The attack requires user interaction (UI:R), such as an administrator or user visiting a maliciously crafted page or interface. The vulnerability impacts confidentiality, integrity, and availability to a limited extent, as indicated by the CVSS vector (C:L/I:L/A:L). The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially compromised component. Although no known exploits are currently in the wild, the medium severity score of 6.5 reflects the realistic risk posed by this stored XSS, especially in environments where WP AdCenter is used to manage advertising content. The plugin is popular among WordPress sites that manage ad campaigns, making it a target for attackers seeking to compromise advertising platforms or inject malicious ads. The vulnerability was published on October 27, 2025, and no official patches or fixes have been linked yet, emphasizing the need for proactive mitigation.

For European organizations, the impact of this vulnerability can be significant, particularly for those relying on WP AdCenter to manage advertising content on WordPress sites. Exploitation could lead to unauthorized script execution, enabling attackers to steal session cookies, deface websites, inject malicious advertisements, or perform actions on behalf of privileged users. This can damage brand reputation, lead to data breaches involving user information, and disrupt advertising operations. Given the interconnected nature of digital advertising and e-commerce in Europe, such disruptions can have financial and operational consequences. Additionally, regulatory frameworks like GDPR impose strict requirements on data protection; exploitation leading to data leakage could result in legal penalties. Organizations with public-facing WordPress sites using this plugin are at risk, especially if administrative users are targeted. The medium severity indicates that while the vulnerability is not critical, it still poses a meaningful threat that should be addressed promptly to avoid exploitation.

1. Monitor WPeka’s official channels for patches or updates addressing CVE-2025-62984 and apply them immediately upon release. 2. Until patches are available, restrict access to WP AdCenter administrative interfaces to trusted users only, using IP whitelisting or VPNs. 3. Implement Web Application Firewalls (WAF) with custom rules to detect and block typical XSS payloads targeting WP AdCenter input fields. 4. Conduct thorough input validation and output encoding on all user-supplied data within the plugin, especially in ad content fields, to neutralize malicious scripts. 5. Regularly audit and sanitize stored content in WP AdCenter to detect and remove any injected scripts. 6. Educate administrators and users about the risks of clicking on suspicious links or interacting with untrusted content within the WordPress admin area. 7. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. 8. Use security plugins that can detect and alert on anomalous changes or injections in WordPress content. These targeted measures go beyond generic advice by focusing on access control, monitoring, and proactive content sanitization specific to the WP AdCenter context.