Security Alert Summary
The Address Bar Ads WordPress plugin is vulnerable to reflected cross-site scripting (XSS) via the URL path in all versions up to and including 1.0.0. Insufficient input sanitization and output escaping allow an unauthenticated attacker to inject scripts that execute when a user is tricked into following a crafted link.
CVE Details
- CVE ID:
CVE-2026-1795 - Affected component: Address Bar Ads plugin for WordPress
- Affected versions: All versions up to and including 1.0.0
- Published: February 14, 2026, 07:16:10 AM UTC
- Last modified: February 14, 2026, 07:16:10 AM UTC
- CVSS v3.1: Base score 6.1, MEDIUM
- Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - Attack Vector: NETWORK
- Attack Complexity: LOW
- Privileges Required: NONE
- User Interaction: REQUIRED
- Scope: CHANGED
- Confidentiality Impact: LOW
- Integrity Impact: LOW
- Availability Impact: NONE
- Vector:
- Authentication/Privileges: No authentication required; attacker can be unauthenticated
- Primary weakness: CWE-79 (Improper Neutralization of Input During Web Page Generation – Cross-site Scripting)
Technical Details
The plugin fails to adequately sanitize input taken from the URL path and does not properly escape output in pages that render that input. This is reported as a reflected cross-site scripting (XSS) vulnerability: an attacker can craft a URL containing malicious script in the path portion, and when a victim visits (or is tricked into clicking) that URL, the injected script can execute in the victim’s browser context.
The vulnerability exists due to insufficient input validation and output escaping in the plugin code that handles values derived from the request URL. As a reflected XSS, the issue requires an attacker to convince a user to follow a specially-crafted link; it does not require attacker authentication. The impact is limited to the confidentiality and integrity of data accessible to the victim’s browser context (noted as LOW in the CVSS metrics), and does not indicate direct impact to availability.
How This Could Impact Your Website
Consider a small site where the site owner manages plugins, an internal editor publishes content, and an external contributor submits posts. An attacker could send a crafted link to the editor or contributor (for example via email or chat). If that user clicks the link while authenticated, a reflected script could run in their browser and access data available to their session or perform actions limited by their role.
Practical consequences include limited disclosure of data visible to the victim in their browser (for example, information rendered on pages they view), session-targeted actions within the scope of the victim’s privileges, and an increased risk of targeted phishing or social-engineering attempts leveraging any exposed information. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available. (The CVE entry does not specify a fixed version.)
- Review and reduce unnecessary user roles, especially contributors and other low-privilege accounts with editing capabilities.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from the site.
- Monitor site and user activity logs for unusual behavior, such as unexpected requests or unusual post edits.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
