{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2424", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-12T20:26:12.791Z", "datePublished": "2026-03-21T03:26:42.461Z", "dateUpdated": "2026-04-08T16:48:28.823Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:48:28.823Z"}, "affected": [{"vendor": "applixir", "product": "Reward Video Ad for WordPress", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Reward Video Ad for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.6. This is due to insufficient input sanitization and output escaping on plugin settings such as the 'Account ID', 'Message before the video', and color fields. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Reward Video Ad for WordPress <= 1.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via Admin Settings", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/40b5a241-3cf4-476c-8fd9-d0b953234d39?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/applixir/tags/1.6/inc/settings.php#L665"}, {"url": "https://plugins.trac.wordpress.org/browser/applixir/trunk/inc/settings.php#L665"}, {"url": "https://plugins.trac.wordpress.org/browser/applixir/tags/1.6/inc/class-applixir-restriction.php#L80"}, {"url": "https://plugins.trac.wordpress.org/browser/applixir/trunk/inc/class-applixir-restriction.php#L80"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "timeline": [{"time": "2026-03-20T15:16:19.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T15:07:45.423584Z", "id": "CVE-2026-2424", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T15:55:05.649Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2424", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T15:07:45.423584Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T15:07:46.535Z"}}], "cna": {"title": "Reward Video Ad for WordPress <= 1.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via Admin Settings", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "applixir", "product": "Reward Video Ad for WordPress", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-20T15:16:19.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/40b5a241-3cf4-476c-8fd9-d0b953234d39?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/applixir/tags/1.6/inc/settings.php#L665"}, {"url": "https://plugins.trac.wordpress.org/browser/applixir/trunk/inc/settings.php#L665"}, {"url": "https://plugins.trac.wordpress.org/browser/applixir/tags/1.6/inc/class-applixir-restriction.php#L80"}, {"url": "https://plugins.trac.wordpress.org/browser/applixir/trunk/inc/class-applixir-restriction.php#L80"}], "descriptions": [{"lang": "en", "value": "The Reward Video Ad for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.6. This is due to insufficient input sanitization and output escaping on plugin settings such as the 'Account ID', 'Message before the video', and color fields. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:48:28.823Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2424", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:48:28.823Z", "dateReserved": "2026-02-12T20:26:12.791Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-21T03:26:42.461Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Reward Video Ad for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.6. This is due to insufficient input sanitization and output escaping on plugin settings such as the 'Account ID', 'Message before the video', and color fields. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin Reward Video Ad for WordPress para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s de la configuraci\u00f3n de administrador en todas las versiones hasta la 1.6, inclusive. Esto se debe a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes en la configuraci\u00f3n del plugin, como los campos 'Account ID', 'Message before the video' y de color. Esto hace posible que atacantes autenticados, con acceso de nivel de Administrador y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2026-2424", "lastModified": "2026-04-22T21:32:08.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-21T04:16:59.067", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/applixir/tags/1.6/inc/class-applixir-restriction.php#L80"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/applixir/tags/1.6/inc/settings.php#L665"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/applixir/trunk/inc/class-applixir-restriction.php#L80"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/applixir/trunk/inc/settings.php#L665"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/40b5a241-3cf4-476c-8fd9-d0b953234d39?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.6]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Reward Video Ad for WordPress", "source": "cna", "vendor": "applixir"}, "product": "reward_video_ad_for_wordpress", "vendor": "applixir"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-21T06:40:05.750491+00:00", "value": {"mitigation_remediation": ["Upgrade the Reward Video Ad for WordPress plugin to a version newer than 1.6 or remove the plugin if it is not required. ", "After upgrading, clear any residual settings to ensure that previously injected scripts are not retained. ", "If an upgrade is not immediately possible, limit administrator logins to essential accounts, enforce two\u2011factor authentication, and consider disabling the affected settings until a patch is available. ", "Monitor site traffic and user sessions for any signs of unexpected JavaScript execution or session theft."], "summary": {"action": "Immediate Patch", "impact": "Stored XSS"}, "threat_synthesis": {"affected_systems": "Organizations running the Reward Video Ad for WordPress plugin by applixir on any version up to and including 1.6 are affected. The vulnerability manifests when the plugin\u2019s settings are edited via the WordPress admin dashboard; all WordPress installations that include this plugin version inherit the risk.", "description_and_impact": "A stored cross\u2011site scripting flaw exists in the Reward Video Ad for WordPress plugin through unfiltered admin settings such as the Account ID, pre\u2011video message, and color options. This weakness allows an attacker with Administrator or higher privileges to embed malicious scripts that will run whenever any visitor loads a page containing the injected settings, potentially defacing the site, stealing cookies, or hijacking sessions. The flaw is classified as CWE\u201179 and raises concerns over confidentiality and integrity for users who interact with the compromised site.", "risk_and_exploitability": "The CVSS score is 4.4, indicating a moderate risk level. The EPSS score is unavailable, and the vulnerability is not listed in the CISA KEV catalog, suggesting it is not yet widely exploited. Exploitation requires authenticated Administrator access, which means only users with legitimate admin credentials or compromised admin accounts can deploy the payload. Once the script is stored, it will execute on every page load, making the impact persistent while the plugin remains installed."}}}}, "created": "2026-03-23T09:50:46.774432+00:00", "updated": "2026-03-25T14:42:20.505295+00:00", "vendors": ["applixir", "applixir$PRODUCT$reward_video_ad_for_wordpress", "wordpress", "wordpress$PRODUCT$wordpress"]}