CVE-2026-2424 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Reward Video Ad for WordPress plugin, which is widely used to integrate video advertisements into WordPress sites. The vulnerability exists in all versions up to and including 1.6 due to improper neutralization of input during web page generation (CWE-79). Specifically, the plugin fails to adequately sanitize and escape input fields in the admin settings, including 'Account ID', 'Message before the video', and color configuration fields. This flaw allows an authenticated attacker with Administrator-level privileges to inject arbitrary JavaScript code into the plugin's settings. When any user visits a page where the injected script is rendered, the malicious code executes in their browser context. The attack vector requires no user interaction but does require high privileges, limiting exploitation to trusted users with admin access. The vulnerability impacts confidentiality and integrity by enabling potential session hijacking, credential theft, or unauthorized actions performed on behalf of users. The CVSS v3.1 score is 4.4 (medium), reflecting network attack vector, high attack complexity, required privileges, no user interaction, and limited impact on confidentiality and integrity. No public exploits have been reported yet, but the vulnerability poses a risk to WordPress sites using this plugin, especially those with multiple administrators or less stringent access controls. The lack of available patches necessitates immediate mitigation steps to prevent exploitation.

The vulnerability allows attackers with administrator privileges to inject persistent malicious scripts into WordPress sites using the Reward Video Ad plugin. This can lead to session hijacking, theft of sensitive information, unauthorized actions on behalf of users, and potential site defacement. Since the injected scripts execute in the context of any user visiting the affected pages, it can compromise site visitors and administrators alike. The impact is primarily on confidentiality and integrity, with no direct availability impact. Exploitation requires high privileges, which limits the attack surface but increases risk if admin accounts are compromised or malicious insiders exist. Organizations relying on this plugin risk reputational damage, data breaches, and loss of user trust if the vulnerability is exploited. The medium CVSS score reflects moderate severity but should not be underestimated in environments with multiple administrators or high-value targets.

1. Immediately restrict administrative access to trusted personnel only and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of privilege abuse. 2. Implement strict input validation and sanitization on all plugin settings fields, especially those accepting user input like 'Account ID', 'Message before the video', and color fields. 3. Apply proper output encoding/escaping to all data rendered on web pages to prevent script execution. 4. Monitor and audit administrative changes to the plugin settings for suspicious or unauthorized modifications. 5. If possible, disable or remove the Reward Video Ad plugin until a security patch is released. 6. Employ Web Application Firewalls (WAFs) with custom rules to detect and block XSS payloads targeting this plugin. 7. Educate administrators about the risks of XSS and safe plugin configuration practices. 8. Regularly update WordPress core and plugins to the latest versions once patches become available. 9. Conduct periodic security assessments focusing on plugins and administrative interfaces to identify similar vulnerabilities proactively.