CVE-2025-62984 is a stored Cross-site Scripting (XSS) vulnerability found in the WPeka WP AdCenter WordPress plugin, affecting all versions up to and including 2.6.1. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows attackers to inject malicious JavaScript code that is stored persistently within the application. When other users or administrators view the affected pages, the malicious script executes in their browsers under the context of the vulnerable site. This can lead to session hijacking, theft of cookies, defacement, or redirection to malicious sites. The vulnerability does not require authentication, increasing the attack surface, and no user interaction beyond visiting a compromised page is necessary for exploitation. Although no public exploits have been reported, the nature of stored XSS makes it a critical concern for websites relying on WP AdCenter for ad management. The lack of an official patch at the time of disclosure necessitates immediate attention to mitigate risks. The vulnerability affects the confidentiality and integrity of user data and the availability of the service if attackers leverage it for further attacks or defacement. The plugin is widely used in WordPress environments, which are prevalent across many European organizations, especially those in digital marketing, media, and e-commerce sectors.

For European organizations, exploitation of this stored XSS vulnerability could result in unauthorized access to user sessions, leading to data breaches involving personal information or credentials. Attackers could manipulate website content, damaging brand reputation and customer trust. In sectors such as finance, healthcare, or government, this could lead to regulatory non-compliance and legal consequences under GDPR. The vulnerability could also be leveraged as a pivot point for more sophisticated attacks, including malware distribution or lateral movement within networks. Given the widespread use of WordPress and the popularity of advertising plugins, the scope of affected systems is significant. The ease of exploitation without authentication or user interaction further amplifies the risk. Organizations relying on WP AdCenter for ad delivery or content monetization may experience service disruption or loss of revenue if the vulnerability is exploited.

Immediate mitigation steps include monitoring for updates from WPeka and applying patches as soon as they become available. Until a patch is released, organizations should implement strict input validation and output encoding on all user-generated content related to WP AdCenter. Employing Web Application Firewalls (WAFs) with rules targeting XSS payloads can help block exploitation attempts. Conduct thorough audits of the plugin’s usage and remove or disable it if not essential. Educate administrators and content managers about the risks of stored XSS and encourage cautious handling of user inputs. Regularly review logs for suspicious activity and consider implementing Content Security Policy (CSP) headers to restrict script execution. Finally, maintain robust backup and recovery procedures to restore affected sites quickly if compromised.