WordPress Plugin Vulnerabilities

Simple Banner < 3.0.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

Description

The Simple Banner – Easily add multiple Banners/Bars/Notifications/Announcements to the top or bottom of your website plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

Plugin icon
simple-banner
Fixed in 3.0.5

References

CVE
CVE-2024-13898
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/6a2dea28-14cf-4e83-ac72-efc7c97ecf54

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.4 (medium)

Miscellaneous

Original Researcher
Nguyen Khanh Hao
Verified
No
WPVDB ID
b465c899-a0c3-4b6a-8f2c-a2f80f02f3eb

Timeline

Publicly Published
2025-04-03 (about 1 year ago)
Added
2025-04-03 (about 1 year ago)
Last Updated
2025-04-04 (about 1 year ago)

Other

Published
Title
Published
2025-03-28
Title
wBounce <= 1.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-10-16
Title
Wp-ImageZoom <= 1.1.0 - Reflected XSS
Published
2025-06-19
Title
Tealium < 2.1.21 - Admin+ Stored XSS
Published
2024-05-06
Title
Ditty < 3.1.36 - Author+ Stored XSS
Published
2026-05-05
Title
LatePoint < 5.5.1 - Unauthenticated Stored Cross-Site Scripting via 'first_name' Parameter