CVE-2025-22623: 
WordPress vulnerability analysis and mitigation

Ad Inserter - Ad Manager and AdSense Ads version 2.8.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability. The vulnerability exists in the web application where it dynamically generates web content without validating the source of potentially untrusted data in myapp/includes/dst/dst.php. The vulnerability was discovered on December 6, 2024, and was assigned CVE-2025-22623 (Fluid Attacks).

The vulnerability is classified as a Reflected Cross-Site Scripting (XSS) issue with a CVSSv4 base score of 5.1 (Medium). The vulnerability vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N, indicating that it is network accessible, requires low attack complexity, no authentication, but does require user interaction. The vulnerability is associated with CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

The vulnerability allows an attacker to inject malicious scripts that can execute in users' browsers when they access specifically crafted URLs. This could potentially lead to theft of sensitive information, session hijacking, or other client-side attacks (Fluid Attacks).

The vendor has released version 2.8.1 which includes a fix for this reflected cross-site scripting (XSS) vulnerability. Users are advised to upgrade to the latest version to mitigate this security issue (WordPress Plugin).