The Ad Inserter – Ad Manager & AdSense Ads plugin for WordPress suffers from a reflected cross-site scripting vulnerability (CWE-79) due to improper neutralization of input during web page generation. This occurs specifically when iframe mode (AI_OPTION_IFRAME) is enabled on an ad block, which is not the default setting but commonly used for AdSense and JavaScript-based ads. Attackers can inject malicious scripts via URL parameters that are not properly sanitized or escaped, potentially leading to script execution in the context of the victim's browser. The vulnerability affects all plugin versions up to 2.8.15. The CVSS 3.1 base score is 6.1, reflecting network attack vector, low attack complexity, no privileges required, user interaction required, scope change, and low impact on confidentiality and integrity but no impact on availability. No official fix or mitigation has been published by the vendor as of the provided data.

Successful exploitation allows an unauthenticated attacker to execute arbitrary scripts in the context of a victim's browser when the victim clicks a crafted link. This can lead to limited confidentiality and integrity impacts such as theft of user data or session tokens within the affected site context. The attack requires user interaction and the iframe mode enabled on at least one ad block, which is a non-default configuration. There is no indication of availability impact. No known exploits are reported in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling iframe mode (AI_OPTION_IFRAME) on ad blocks if feasible to reduce exposure. Additionally, avoid clicking on suspicious links that could trigger the vulnerability. Monitor vendor communications for updates on patches or official mitigations.