WordPress Plugin Vulnerabilities

Simple Banner < 3.1.0 - Authenticated (Admin+) Stored Cross-Site Scripting

Description

The Simple Banner – Easily add multiple Banners/Bars/Notifications/Announcements to the top or bottom of your website plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pro_version_activation_code' parameter in all versions up to, and including, 3.0.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

Plugin icon
simple-banner
Fixed in 3.1.0

References

CVE
CVE-2025-12033
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/9b620481-8f45-4616-9b22-2dd14733325c

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.4 (medium)

Miscellaneous

Original Researcher
Cody Sixteen
Verified
No
WPVDB ID
1b9f2fc8-78aa-4b3d-816d-db9fcc3deabb

Timeline

Publicly Published
2025-10-21 (about 6 months ago)
Added
2025-10-21 (about 6 months ago)
Last Updated
2025-10-22 (about 6 months ago)

Other

Published
Title
Published
2022-06-03
Title
Form - Contact Form <= 1.2.4 - Admin+ Stored Cross-Site Scripting
Published
2021-06-07
Title
Nina Forms < 3.5.5 - Reflected Cross-Site Scripting
Published
2017-06-02
Title
Spiffy Calendar < 3.3.0 - Reflected Cross-Site Scripting (XSS)
Published
2025-09-22
Title
Portfolio <= 2.58 - Authenticated (Author+) Stored Cross-Site Scripting
Published
2014-08-01
Title
IgnitionDeck 1.1 - Purchase Form Unspecified XSS