WPFront Notification Bar < 2.1.0.08087 – Authenticated Stored XSS | CVE 2021-24601 | Plugin Vulnerabilities

Description

The plugin does not properly sanitise and escape its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Proof of Concept

To execute the XSS on all frontend pages and plugin's setting page, add the following payload in the Message Text: <svg/onload=alert(/XSS/)>

To execute XSS in the backend, via the plugin's settings, add the following payload in any of the text field settings (such as Reopen Button Image URL, Keep Closed Cookie Name, Button Text, Button URL, Display on Pages, Landing Page Cookie Name): "><script>alert(/XSS/)</script>

Affects Plugins

wpfront-notification-bar

Fixed in 2.1.0.08087

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Siddheshwar Vishwambhar mane

Verified

Yes

WPVDB ID

bb437706-a918-4d66-b027-b083ab486074

Timeline

Publicly Published

2021-08-09 (about 4 years ago)

Added

2021-08-09 (about 4 years ago)

Last Updated

2022-02-24 (about 3 years ago)

Other

Published

Title

Published

2025-05-12

Title

Real Cookie Banner < 5.1.6 - Admin+ Stored XSS

Published

2025-08-19

Title

SensorPress <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2023-09-25

Title

User Avatar - Reloaded < 1.2.2 - Contributor+ Stored XSS

Published

2023-10-11

Title

Etsy Shop < 3.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Published

2026-01-06

Title

STM Gallery 1.9 <= 0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes