Notification < 8.0.0 – Admin+ Stored Cross-Site Scripting | CVE 2021-39340 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/src/classes/Utils/Settings.php file which made it possible for attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 7.2.4. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.

Affects Plugins

Fixed in 8.0.0

References

CVE

URL

https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39340

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Thinkland Security Team

Verified

No

WPVDB ID

44594bdf-b05c-4a7b-b9fb-e4bca832616a

Timeline

Publicly Published

2021-10-25 (about 4 years ago)

Added

2021-10-25 (about 4 years ago)

Last Updated

2022-04-13 (about 4 years ago)

Other

Published

Title

Published

2024-12-20

Title

G Web Pro Store Locator <= 2.1 - Reflected Cross-Site Scripting

Published

2025-12-31

Title

Cooked < 1.11.4 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2023-06-15

Title

NextGen GalleryView <= 0.5.5 - Reflected XSS

Published

2026-01-20

Title

Hostiko < 94.3.6 - Unauthenticated Stored Cross-Site Scripting

Published

2025-10-10

Title

Next Page, Not Next Post <= 0.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting