cleantalk
Vulnerabilities and Security Researches

Oboxmedia Ads, CVE-2025-11827

CVE, Research URL

CVE-2025-11827

Home page URL

Security reports for Oboxmedia Ads

Application

Oboxmedia Ads

Published on
Oct 22, 2025
Research Description
The Oboxmedia Ads plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before_widget' and 'after_widget' parameters of the oboxads-ad-widget shortcode in all versions up to, and including, 1.9.8. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 1.9.8.
Status
vulnerable
Previous vulnerability researches
Advanced Coupons – WooCommerce Coupons, Store Credit, Gift Cards, Loyalty Program, BOGO Coupons, Discount Rules (CVE-2022-43481) , Jun 07, 2024
Advanced Coupons – WooCommerce Coupons, Store Credit, Gift Cards, Loyalty Program, BOGO Coupons, Discount Rules (CVE-2025-62015) , Nov 10, 2025
New vulnerability
Multilang Contact Form (CVE-2025-62896) , Nov 11, 2025
Simple Stripe Checkout (CVE-2025-49963) , Nov 11, 2025
Barcode Scanner and Inventory manager. POS (Point of Sale) – scan barcodes & create orders with barcode reader. (CVE-2025-58972) , Nov 11, 2025
AppPresser – Mobile App Framework (CVE-2025-11881) , Nov 11, 2025
Import from YML (CVE-2025-64232) , Nov 11, 2025