Notibar < 2.1.6 – Authenticated (Administrator+) Stored Cross-Site Scripting | CVE 2025-1672 | Plugin Vulnerabilities

Description

The Notibar – Notification Bar for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

Fixed in 2.1.6

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/9985627d-9ba4-4a5b-94fb-06bcc769acfd

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Khang Duong

Verified

No

WPVDB ID

26c293e5-f67a-416f-8dae-afbf3bc9525f

Timeline

Publicly Published

2025-03-05 (about 1 year ago)

Added

2025-03-11 (about 1 year ago)

Last Updated

2025-03-11 (about 1 year ago)

Other

Published

Title

Published

2024-05-17

Title

WordPress Automatic < 3.95.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via autoplay Parameter

Published

2023-12-26

Title

WP Review Slider < 13.0 - Admin+ Stored XSS

Published

2022-09-26

Title

Social Media Follow Buttons Bar <= 4.73 - Admin+ Stored XSS

Published

2024-12-16

Title

TPG Get Posts <= 3.6.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-07-26

Title

Your Journey theme <= 1.9.8 - Reflected Cross-Site Scripting via Prototype Pollution