{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11827", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-15T18:48:52.470Z", "datePublished": "2025-10-22T08:27:05.034Z", "dateUpdated": "2026-04-08T16:40:37.786Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:40:37.786Z"}, "affected": [{"vendor": "oboxgroup", "product": "Oboxmedia Ads", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.9.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Oboxmedia Ads plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before_widget' and 'after_widget' parameters of the oboxads-ad-widget shortcode in all versions up to, and including, 1.9.8. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Oboxmedia Ads <= 1.9.8 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1d8b79cc-287e-420b-8eb8-6345a62e9fb9?source=cve"}, {"url": "https://wordpress.org/plugins/oboxmedia-ads"}, {"url": "https://plugins.trac.wordpress.org/browser/oboxmedia-ads/tags/1.9.8/includes/oboxads-ad-widget.php#L156"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Djaidja Moundjid"}], "timeline": [{"time": "2025-10-21T20:22:40.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-22T15:34:29.322046Z", "id": "CVE-2025-11827", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-22T15:35:10.202Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11827", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-22T15:34:29.322046Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-22T15:35:07.671Z"}}], "cna": {"title": "Oboxmedia Ads <= 1.9.8 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Djaidja Moundjid"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "oboxgroup", "product": "Oboxmedia Ads", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.9.8"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-21T20:22:40.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1d8b79cc-287e-420b-8eb8-6345a62e9fb9?source=cve"}, {"url": "https://wordpress.org/plugins/oboxmedia-ads"}, {"url": "https://plugins.trac.wordpress.org/browser/oboxmedia-ads/tags/1.9.8/includes/oboxads-ad-widget.php#L156"}], "descriptions": [{"lang": "en", "value": "The Oboxmedia Ads plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before_widget' and 'after_widget' parameters of the oboxads-ad-widget shortcode in all versions up to, and including, 1.9.8. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:40:37.786Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11827", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:40:37.786Z", "dateReserved": "2025-10-15T18:48:52.470Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-22T08:27:05.034Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Oboxmedia Ads plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before_widget' and 'after_widget' parameters of the oboxads-ad-widget shortcode in all versions up to, and including, 1.9.8. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-11827", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-22T09:15:34.363", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/oboxmedia-ads/tags/1.9.8/includes/oboxads-ad-widget.php#L156"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/oboxmedia-ads"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1d8b79cc-287e-420b-8eb8-6345a62e9fb9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T21:57:39.425049+00:00", "value": {"mitigation_remediation": ["Upgrade the Oboxmedia Ads plugin to a version newer than 1.9.8, which removes the unsafe handling of the widget parameters.", "If an upgrade is not immediately possible, remove or disable the oboxads\u2011ad\u2011widget shortcode from the site to prevent the injection vector.", "Restrict WordPress user roles to the minimal level necessary and consider removing contributor privileges from users who do not need them, thereby reducing the attack surface."], "summary": {"action": "Patch immediately", "impact": "Stored cross\u2011site scripting usable by authenticated contributors"}, "threat_synthesis": {"affected_systems": "All users of the Oboxmedia Ads WordPress plugin, version 1.9.8 and earlier, from the vendor oboxgroup. The plugin is identified as Oboxmedia Ads. The vulnerability is present in all releases up to and including 1.9.8; later releases are not affected.", "description_and_impact": "The Oboxmedia Ads plugin for WordPress is affected by a stored cross\u2011site scripting flaw in the before_widget and after_widget parameters of the oboxads\u2011ad\u2011widget shortcode. Because the plugin does not sanitize or escape input before saving it with the post, an authenticated user with contributor level access or higher can insert arbitrary JavaScript. When a visitor then loads a page containing the widget, the malicious script runs in the visitor\u2019s browser, enabling cookie theft, session hijacking, or defacement of the site content. This weakness corresponds to CWE\u201179 and allows an attacker to compromise the confidentiality, integrity, or availability of the user session but does not grant direct code execution on the server.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate severity. The EPSS score of less than 1\u202f% suggests a very low probability of being actively exploited, and the vulnerability is not listed in the CISA KEV catalog. The attack requires the attacker to have contributor or higher access to the WordPress site, so the likelihood of exploitation is contingent on the availability of privileged accounts. Even with the low EPSS, the stored XSS can have significant impact on users visiting the site."}}}}, "created": "2025-10-23T10:07:48.816742+00:00", "updated": "2026-04-22T22:00:18.090361+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}