CVE-2026-2424 in Reward Video Ad for WordPress Plugin
Summary
by MITRE • 03/21/2026
The Reward Video Ad for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.6. This is due to insufficient input sanitization and output escaping on plugin settings such as the 'Account ID', 'Message before the video', and color fields. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/21/2026
The vulnerability identified as CVE-2026-2424 affects the Reward Video Ad plugin for WordPress, a widely used advertising solution that integrates video reward systems into wordpress websites. This particular flaw represents a critical security weakness that undermines the integrity of administrative interfaces within the wordpress ecosystem. The vulnerability specifically targets the plugin's handling of user inputs in administrative settings, creating a persistent vector for malicious code injection that can affect all users of the affected system. The issue impacts all versions of the plugin up to and including version 1.6, making it a significant concern for wordpress administrators who may have unknowingly installed vulnerable software.
The technical root cause of this vulnerability stems from inadequate input validation and output escaping mechanisms within the plugin's administrative interface. When administrators configure settings such as the 'Account ID' field, 'Message before the video' text area, and color selection parameters, the plugin fails to properly sanitize or escape user-provided data before storing and rendering it within the web interface. This insufficient sanitization creates a stored cross-site scripting vulnerability where malicious payloads can be permanently stored in the database and executed whenever affected pages are loaded. The vulnerability is classified as a stored XSS attack because the malicious code is persisted in the server's database rather than being reflected in a single request, allowing for broader and more persistent exploitation. This flaw directly corresponds to CWE-79, which defines Cross-Site Scripting vulnerabilities in software applications.
The operational impact of this vulnerability is severe for wordpress administrators and website operators who rely on the Reward Video Ad plugin for their monetization strategies. An attacker with administrator-level access or higher can inject malicious scripts that will execute in the context of other users' browsers when they navigate to pages containing the stored malicious content. This creates a potential attack surface where legitimate users could be compromised through various attack vectors including credential theft, session hijacking, or redirection to malicious websites. The persistence of the stored payload means that even after the initial attack, the malicious code continues to execute whenever users access affected pages, potentially allowing for extended periods of unauthorized access or data exfiltration. The attack chain follows standard ATT&CK framework patterns for privilege escalation and code execution within web applications.
Mitigation strategies for this vulnerability should prioritize immediate patching of the affected plugin to the latest secure version that addresses the input sanitization issues. WordPress administrators should conduct comprehensive security audits of their installed plugins and ensure all third-party components are updated to their latest secure versions. Additionally, implementing proper input validation and output escaping mechanisms within the plugin's codebase is essential to prevent similar vulnerabilities from occurring. Security monitoring should include regular checks for unauthorized modifications to plugin settings and database entries. The vulnerability highlights the importance of following secure coding practices such as those outlined in the OWASP Top Ten and the CERT/CC Secure Coding Standards, particularly regarding input validation, output encoding, and privilege separation. Administrators should also consider implementing web application firewalls and monitoring systems to detect and prevent exploitation attempts, while maintaining regular security assessments to identify potential vulnerabilities in their wordpress installations.