Stored Cross-Site Scripting Vulnerability in WPFront Notification Bar Plugin for WordPress
CVE-2024-0625
4.8MEDIUM
Summary
The WPFront Notification Bar plugin for WordPress is susceptible to Stored Cross-Site Scripting due to inadequate input sanitization and output escaping in the 'wpfront-notification-bar-options[custom_class]' parameter. This vulnerability affects all versions up to and including 3.3.2. It enables attackers with administrator-level access to inject harmful web scripts into pages, posing a risk as these scripts execute whenever users visit the compromised pages. The issue is particularly critical for multi-site installations and environments where the unfiltered_html setting has been disabled.
Affected Version(s)
WPFront Notification Bar * <= 3.3.2
References
CVSS V3.1
Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Sh