Notibar – Notification Bar for WordPress < 2.1.5 – Authenticated (Subscriber+) Arbitrary Shortcode Execution via njt_nofi_text | CVE 2024-11012 | Plugin Vulnerabilities

Description

The The Notibar – Notification Bar for WordPress plugin for WordPress is vulnerable to arbitrary shortcode execution via njt_nofi_text AJAX action in all versions up to, and including, 2.1.4. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.

Affects Plugins

Fixed in 2.1.5

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/1766727d-ba54-4b46-b362-415c14be027d

Classification

Type

RCE

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Arkadiusz Hydzik

Verified

No

WPVDB ID

ef3b0b92-02b5-44c3-bbd0-3938d5e31788

Timeline

Publicly Published

2024-12-12 (about 1 year ago)

Added

2024-12-12 (about 1 year ago)

Last Updated

2024-12-13 (about 1 year ago)

Other

Published

Title

Published

2026-02-10

Title

Lucky Wheel Giveaway < 1.0.23 - Authenticated (Administrator+) Remote Code Execution via 'conditional_tags' Parameter

Published

2021-03-16

Title

WP Super Cache < 1.7.2 - Authenticated Remote Code Execution (RCE)

Published

2021-05-14

Title

WP Super Cache < 1.7.3 - Authenticated Remote Code Execution

Published

2025-06-05

Title

Team Showcase < 25.05.13 - Authenticated (Subscriber+) Arbitrary Shortcode Execution

Published

2024-10-11

Title

Stackable – Page Builder Gutenberg Blocks < 3.13.7 - Unauthenticated CSS Injection