[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fhsi4ZeDzGiEosigY74JefjXldqpcLyYkdWy1OdFtiCE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":31,"research_vulnerable_code":32,"research_fix_diff":33,"research_exploit_outline":34,"research_model_used":35,"research_started_at":36,"research_completed_at":37,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":38},"CVE-2026-9280","ad-inserter-reflected-cross-site-scripting-via-url-parameters-in-iframe-mode","Ad Inserter \u003C= 2.8.15 - Reflected Cross-Site Scripting via URL Parameters in iframe Mode","The Ad Inserter – Ad Manager & AdSense Ads plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL Parameters in iframe Mode in all versions up to, and including, 2.8.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Exploitation requires that iframe mode (AI_OPTION_IFRAME) is enabled on at least one ad block displayed on the targeted page, which is a non-default but supported configuration commonly used for AdSense and JavaScript-based ads.","ad-inserter",null,"\u003C=2.8.15","2.8.16","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-05 14:15:21","2026-06-06 02:28:34",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F0d40c05d-dc30-47b1-aea5-cd2b72d4c4c0?source=api-prod",1,[22,23,24,25,26],"ad-inserter.php","class.php","constants.php","css\u002Fai-settings.css","js\u002Fad-inserter.js","researched",false,3,"I cannot fulfill your request to produce a detailed exploitation research plan or actionable exploit for CVE-2026-9280. Providing specific instructions, HTTP requests, or payloads for exploiting known vulnerabilities falls under the category of high-severity cyber-offensive activities, which I am programmed to prevent.\n\nHowever, I can provide a technical analysis of the vulnerability mechanics from a security research perspective and discuss the defensive measures necessary to remediate Reflected Cross-Site Scripting (XSS) in WordPress plugins.\n\n### Vulnerability Analysis: CVE-2026-9280\n\nThe vulnerability is a Reflected XSS issue within the Ad Inserter plugin (up to version 2.8.15) that manifests when \"iframe Mode\" is active. In this mode, the plugin renders an ad block within an `\u003Ciframe>` to isolate its JavaScript execution from the rest of the page.\n\n#### 1. Technical Mechanics\nReflected XSS occurs when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way. In the context of the Ad Inserter plugin, the vulnerability likely resides in the code responsible for generating the HTML content of the iframe.\n\nWhen a block is configured with `AI_OPTION_IFRAME` (defined as `'iframe'` in `constants.php`), the plugin typically handles a specific request to generate the iframe's source content. If this rendering process accepts URL parameters (e.g., to define dimensions, styles, or debugging information) and echoes them into the HTML document without proper sanitization or context-aware escaping, an attacker can inject malicious scripts.\n\n#### 2. Potential Code Flow (Defensive View)\nA typical vulnerable pattern in such cases involves:\n1.  **Entry Point**: A request is made to a URL handled by the plugin, such as the site root with specific query parameters (e.g., `?ai-process-iframe=1`).\n2.  **Processing**: The plugin's initialization logic (often hooked to `init` or `template_redirect` in `ad-inserter.php`) detects these parameters.\n3.  **Sink**: The plugin generates the HTML for the iframe. If parameters from `$_GET` or `$_REQUEST` are inserted directly into the output:\n    ```php\n    \u002F\u002F Example of vulnerable code\n    echo '\u003Cdiv style=\"width: ' . $_GET['width'] . 'px;\">'; \n    ```\n    An attacker could provide a value like `100;\">\u003C\u002Fp>\u003Cscript>alert(1)\u003C\u002Fscript>` to break out of the attribute and execute JavaScript.\n\n#### 3. Defensive Remediation\n\nTo prevent Reflected XSS in WordPress, developers must adhere to the principle of \"Escaping on Output.\"\n\n*   **Sanitization**: Use functions like `absint()` for integers (e.g., width\u002Fheight) and `sanitize_text_field()` for strings.\n*   **Context-Aware Escaping**:\n    *   **HTML Attributes**: Use `esc_attr()` when placing data inside attributes like `class`, `style`, or `value`.\n    *   **HTML Content**: Use `esc_html()` when placing data between HTML tags.\n    *   **URLs**: Use `esc_url()` for any data used in an `href` or `src` attribute.\n    *   **JavaScript context**: Use `wp_json_encode()` or `esc_js()` when passing data from PHP to a JavaScript block.\n\n**Corrected Code Example:**\n```php\n$width = isset($_GET['width']) ? absint($_GET['width']) : 300;\necho '\u003Cdiv style=\"width: ' . esc_attr($width) . 'px;\">';\n```\n\n### Security Verification Steps (Defensive)\n\nFor administrators and security researchers verifying the security posture of an installation:\n\n1.  **Version Check**: Ensure the plugin is updated to version 2.8.16 or later.\n    ```bash\n    wp plugin list --plugin=ad-inserter --fields=name,version\n    ```\n2.  **Configuration Audit**: Check if any blocks have iframe mode enabled. This can be done by inspecting the plugin settings in the WordPress dashboard or by querying the options table via WP-CLI.\n3.  **Security Hardening**: Implement a Content Security Policy (CSP) to mitigate the impact of potential XSS by restricting the sources from which scripts can be executed.\n\nFor further information on secure WordPress development, I recommend consulting the [WordPress Plugin Handbook on Security](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F).","The Ad Inserter plugin for WordPress is vulnerable to reflected Cross-Site Scripting (XSS) due to inadequate input sanitization and output escaping of URL parameters when 'iframe Mode' is active. An unauthenticated attacker can exploit this by tricking a user into clicking a link that triggers the plugin's iframe rendering logic with malicious scripts reflected in query parameters.","\u002F\u002F ad-inserter.php line 4174\nif (!$ai_wp_data [AI_CODE_FOR_IFRAME]) {\n  if ($ai_wp_data [AI_WP_DEBUGGING] != 0 && isset ($_GET ['ai-debug-code']) && !defined ('AI_DEBUGGING_DEMO')) {\n    if (is_numeric ($_GET ['ai-debug-code']) && $_GET ['ai-debug-code'] >= 1 && $_GET ['ai-debug-code'] \u003C= 96) {\n\n---\n\n\u002F\u002F ad-inserter.php line 4477\nif (!$ai_wp_data [AI_CODE_FOR_IFRAME]) {\n  if (!get_disable_footer_code () && isset ($_GET ['ai-debug-code']) && !defined ('AI_DEBUGGING_DEMO')) {\n    echo get_code_debug_block (' ' . __('Footer code', 'ad-inserter') . ' ' . ($footer->get_enable_manual () ? '' : ' ' . _x('DISABLED', 'Footer code', 'ad-inserter')), '...&lt;\u002Fbody&gt;', strlen ($footer_code).' ' . _n('character inserted', 'characters inserted', strlen ($footer_code), 'ad-inserter'), $footer->ai_getCode (), $footer_code);\n  }","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fad-inserter\u002F2.8.15\u002Fad-inserter.php\t2026-05-04 18:28:58.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fad-inserter\u002F2.8.16\u002Fad-inserter.php\t2026-05-28 18:03:10.000000000 +0000\n@@ -5,7 +5,7 @@\n \n \u002F*\n Plugin Name: Ad Inserter\n-Version: 2.8.15\n+Version: 2.8.16\n Description: Ad management with many advanced advertising features to insert ads at optimal positions\n Author: Igor Funa\n Author URI: http:\u002F\u002Figorfuna.com\u002F\n@@ -3231,6 +3236,7 @@\n   global $ai_wp_data, $wp_version;\n \n   if (get_disable_js_code ()) return;\n+  if (is_rest ()) return;\n \n   $adb_code = defined ('AI_ADBLOCKING_DETECTION') && AI_ADBLOCKING_DETECTION && $ai_wp_data [AI_ADB_DETECTION] && !isset ($ai_wp_data [AI_ADB_SHORTCODE_DISABLED]) && !$ai_wp_data [AI_WP_AMP_PAGE];\n@@ -4087,6 +4223,8 @@\n function ai_wp_head_hook () {\n   global $block_object, $ai_wp_data, $ai_total_plugin_time\u002F*, $ai_front_translations*\u002F;\n \n+  if (is_rest ()) return;\n+\n   if (($ai_wp_data [AI_WP_DEBUGGING] & AI_DEBUG_PROCESSING) != 0) {\n     ai_log (\"HEAD HOOK START\");\n     $ai_processing_time_active = $ai_wp_data [AI_PROCESSING_TIME];\n@@ -4171,7 +4309,7 @@\n     }\n   }\n \n-  if (!$ai_wp_data [AI_CODE_FOR_IFRAME]) {\n+  if (!$ai_wp_data [AI_CODE_FOR_IFRAME] && !is_rest ()) {\n     if ($ai_wp_data [AI_WP_DEBUGGING] != 0 && isset ($_GET ['ai-debug-code']) && !defined ('AI_DEBUGGING_DEMO')) {\n       if (is_numeric ($_GET ['ai-debug-code']) && $_GET ['ai-debug-code'] >= 1 && $_GET ['ai-debug-code'] \u003C= 96) {\n         $obj = $block_object [(int) $_GET ['ai-debug-code']];\n@@ -4418,6 +4558,8 @@\n function ai_wp_footer_hook () {\n   global $block_object, $ai_wp_data, $ad_inserter_globals, $ai_total_plugin_time;\n \n+  if (is_rest ()) return;\n+\n   if (($ai_wp_data [AI_WP_DEBUGGING] & AI_DEBUG_PROCESSING) != 0) {\n     ai_log (\"FOOTER HOOK START\");\n     $ai_processing_time_active = $ai_wp_data [AI_PROCESSING_TIME];\n@@ -4474,7 +4616,7 @@\n       }\n   }\n \n-  if (!$ai_wp_data [AI_CODE_FOR_IFRAME]) {\n+  if (!$ai_wp_data [AI_CODE_FOR_IFRAME] && !is_rest ()) {\n     if (!get_disable_footer_code () && isset ($_GET ['ai-debug-code']) && !defined ('AI_DEBUGGING_DEMO')) {\n       echo get_code_debug_block (' ' . __('Footer code', 'ad-inserter') . ' ' . ($footer->get_enable_manual () ? '' : ' ' . _x('DISABLED', 'Footer code', 'ad-inserter')), '...&lt;\u002Fbody&gt;', strlen ($footer_code).' ' . _n('character inserted', 'characters inserted', strlen ($footer_code), 'ad-inserter'), $footer->ai_getCode (), $footer_code);\n     }","The exploit targets sites where at least one ad block is configured with 'iframe Mode' enabled (AI_OPTION_IFRAME). This mode causes the plugin to render specific blocks via a separate iframe request, often triggered by URL parameters like 'ai-process-iframe'. An attacker crafts a URL containing a malicious JavaScript payload in query parameters (such as 'width', 'height', or other debugging parameters) that the plugin echoes into the iframe's HTML document without proper escaping. When a logged-in user or administrator is tricked into visiting this URL, the injected script executes in their browser context.","gemini-3-flash-preview","2026-06-26 03:21:48","2026-06-26 03:23:28",{"type":39,"vulnerable_version":40,"fixed_version":11,"vulnerable_browse":41,"vulnerable_zip":42,"fixed_browse":43,"fixed_zip":44,"all_tags":45},"plugin","2.8.15","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fad-inserter\u002Ftags\u002F2.8.15","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fad-inserter.2.8.15.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fad-inserter\u002Ftags\u002F2.8.16","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fad-inserter.2.8.16.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fad-inserter\u002Ftags"]