cleantalk
Vulnerabilities and Security Researches

Oboxmedia Ads, CVE-2025-11827

CVE, Research URL

CVE-2025-11827

Home page URL

Security reports for Oboxmedia Ads

Application

Oboxmedia Ads

Published on
Oct 22, 2025
Research Description
The Oboxmedia Ads plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before_widget' and 'after_widget' parameters of the oboxads-ad-widget shortcode in all versions up to, and including, 1.9.8. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 1.9.8.
Status
vulnerable
Previous vulnerability researches
This-or-That (CVE-2025-10138) , Nov 10, 2025
New vulnerability
AppPresser – Mobile App Framework (CVE-2025-11881) , Nov 11, 2025
Import from YML (CVE-2025-64232) , Nov 11, 2025
WP Customer Area (CVE-2025-60201) , Nov 11, 2025
SMS for WordPress (CVE-2025-12580) , Nov 10, 2025
WC Return products (CVE-2025-59004) , Nov 10, 2025