CVE-2026-1399 in WP Google Ad Manager Plugin Plugin
Summary
by MITRE • 01/28/2026
The WP Google Ad Manager Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/29/2026
The WP Google Ad Manager Plugin vulnerability represents a critical stored cross-site scripting flaw that undermines the security posture of WordPress installations. This vulnerability exists within the plugin's administrative settings interface and affects all versions up to and including 1.1.0, making it a persistent threat across multiple release cycles. The flaw stems from inadequate input sanitization mechanisms and insufficient output escaping practices that fail to properly validate and sanitize user-supplied data before processing. Security researchers have identified that this vulnerability specifically targets the plugin's handling of administrative inputs, creating a pathway for malicious actors to execute persistent scripts within the context of legitimate user sessions.
The technical exploitation of this vulnerability requires an attacker to possess administrator-level permissions or higher within the WordPress environment, which significantly reduces the attack surface but does not eliminate the risk entirely. The vulnerability's impact is particularly concerning because it operates within multi-site WordPress installations where the attack can potentially affect multiple sites simultaneously. Additionally, the vulnerability is specifically triggered when unfiltered_html has been disabled, which represents a common security hardening practice that organizations implement to prevent malicious script injection. This creates a paradoxical situation where security measures designed to protect against XSS attacks actually expose systems to this particular vulnerability due to the plugin's flawed input handling mechanisms.
The operational impact of this vulnerability extends beyond simple script execution, as it enables attackers to establish persistent footholds within affected systems. Once exploited, malicious scripts can perform actions such as stealing administrator credentials, modifying content, redirecting users to malicious sites, or even establishing backdoors for continued access. The stored nature of this XSS vulnerability means that the injected scripts remain active even after the initial injection point, creating a persistent threat that can affect all users who access the compromised pages. This vulnerability directly aligns with CWE-79, which defines the common weakness of cross-site scripting due to insufficient input sanitization, and represents a clear violation of secure coding practices that should be enforced in all web applications.
The attack vector for this vulnerability is particularly dangerous in multi-site environments where a single compromised plugin can affect numerous individual sites within the network. The requirement for administrator-level access means that this vulnerability is typically exploited through privilege escalation attacks, credential theft, or social engineering campaigns that gain administrative control. Organizations that have disabled unfiltered_html as a security measure may believe they are protected against XSS attacks, but this vulnerability demonstrates how flawed input validation in specific components can bypass these protective measures. Mitigation strategies should include immediate plugin updates to versions that address the sanitization issues, implementation of additional input validation layers, and regular security audits of plugin components. The vulnerability also highlights the importance of following ATT&CK framework concepts related to privilege escalation and persistence mechanisms, as attackers can leverage this vulnerability to establish long-term access to compromised systems.