MEDIUM 5.5

CVE-2025-5085: WP Nano AD Stored XSS Vulnerability – WordPress Plugin Security

The WP Nano AD plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability affecting versions 1.31 and earlier. An authenticated administrator can inject malicious scripts through the 'blogrole_link' parameter that persist in the database and execute in the browsers of users who view affected pages. The vulnerability is limited to WordPress multisite installations or those with the 'unfiltered_html' capability disabled, which narrows its real-world scope but makes it critical for affected deployments.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
0 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

The WP Nano AD plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘blogrole_link’ parameter in all versions up to, and including, 1.31 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2025-5085 is a CWE-79 stored XSS flaw in WP Nano AD versions ≤1.31. The plugin fails to properly sanitize the 'blogrole_link' parameter on input and does not escape it on output, allowing authenticated users with administrator privileges to store arbitrary JavaScript that executes when other users access the injected pages. The vulnerability manifests only in multisite WordPress environments or single-site installations where the 'unfiltered_html' capability has been revoked—configurations where administrator-submitted content is normally subject to the KSES HTML filter.

Business impact

For WordPress site operators, this vulnerability represents a persistence mechanism for administrative-level attackers to compromise user sessions and data. An insider threat or compromised administrator account can deface content, steal session tokens, redirect users, or harvest credentials without leaving typical audit trails. Organizations relying on role-based access controls to constrain administrator power will find those controls partially bypassed. The risk is amplified in multisite networks where a single administrator account may control multiple properties.

Affected systems

WP Nano AD plugin versions 1.31 and earlier are vulnerable. The plugin must be active on a WordPress installation that is either (1) a multisite network, or (2) a single-site installation with the 'unfiltered_html' capability disabled. Standard WordPress single-site installations where administrators retain full unfiltered HTML capabilities are not vulnerable.

Exploitability

Exploitation requires valid WordPress administrator credentials, making this a privileged-attacker scenario. The attack surface is therefore limited to insider threats, compromised admin accounts, or administrators acting maliciously. Once injected, the payload executes automatically against all site visitors with no additional user interaction required. The barrier to exploitation is high (admin access), but the impact once achieved is broad (affects all users viewing the page).

Remediation

Update WP Nano AD to a version that addresses the sanitization and escaping defects. Users unable to patch immediately should restrict administrator access to users with verified trustworthiness, audit administrator actions for suspicious script injection, and consider disabling the plugin if it is not essential to site operations. For multisite networks, review administrator role assignments across all sites in the network.

Patch guidance

Check the official WP Nano AD plugin repository and vendor advisories for the first patched version released after 1.31. Apply the update through the WordPress plugin management interface or manually if required. Verify the update has been applied by confirming the plugin version in WordPress admin settings. Test the plugin's functionality on a staging environment before deploying to production to ensure the patch does not conflict with other plugins or themes.

Detection guidance

Monitor WordPress administrator accounts for plugin modifications and file edits, particularly to the WP Nano AD plugin or posts/pages containing 'blogrole_link' parameters. Use WordPress security plugins or server-side logging to detect stored XSS payloads in database queries and page content. Review the revision history of affected pages for unexpected JavaScript or event handler insertions. In multisite installations, audit the creation and editing of pages by administrator accounts, especially those with unfamiliar patterns.

Why prioritize this

Although the CVSS score is medium (5.5), this vulnerability should be prioritized for multisite WordPress networks and single-site installations with disabled unfiltered_html, because (1) stored XSS persists across sessions and affects all users indiscriminately, (2) administrator compromise is a high-impact insider threat scenario, and (3) the vulnerability is easy to exploit once access is obtained. Single-site installations where administrators have full HTML capabilities remain unaffected and should be deprioritized.

Risk score, explained

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N yields a score of 5.5 (Medium). The vector reflects: network-accessible attack surface (AV:N), low complexity (AC:L), high privilege requirement (PR:H), no user interaction needed (UI:N), changed scope (S:C) because injected content affects other users, and confidentiality and integrity impact (C:L, I:L) from XSS exploitation without availability impact (A:N). The medium rating appropriately discounts the attack's severity due to the administrative privilege barrier, though the stored nature and cross-user impact prevent a lower score.

Frequently asked questions

Will this vulnerability affect my WordPress site?

Only if you run WordPress Multisite or a single-site installation with 'unfiltered_html' disabled, and have WP Nano AD version 1.31 or earlier active. Standard single-site WordPress installations where administrators retain full HTML privileges are not vulnerable. Check your site configuration and plugin version first.

Does this require the attacker to be a super admin or just a site admin?

The vulnerability requires 'administrator-level access,' which in multisite typically means Site Administrator or Network Administrator roles that have the ability to edit posts/pages and configure plugins. The exact permission threshold depends on your WordPress capability configuration; however, the attacker must be a trusted, authenticated user.

Can users outside my organization exploit this if they visit an injected page?

No. The malicious script executes in the browser of visitors viewing an injected page, but it does not give those visitors any ability to inject their own payloads. The attacker must have administrator access to inject the script in the first place. Visitors are victims of the injected script, not vectors for further compromise.

What should I do while waiting for a patch?

Immediately audit your administrator accounts and access logs for suspicious activity. Restrict administrator access to only verified, trusted individuals. Review page revisions and post/page content for unexpected JavaScript. Consider disabling WP Nano AD if it is not actively used. Monitor site traffic and user behavior for signs of session hijacking or data exfiltration. Apply the patch as soon as it becomes available.

This analysis is based on the CVE description and CVSS vector provided. Exploit details, proof-of-concept code, and weaponized attack scenarios are not provided. Patch availability, version numbers, and timelines should be verified against the official WP Nano AD plugin repository and vendor security advisories. Vulnerability scope and impact may vary depending on your specific WordPress configuration, installed plugins, and access control policies. Test any remediation steps in a staging environment before deployment to production. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).