Stored Cross-Site Scripting Vulnerability in WordPress Plugin by Vendor
CVE-2024-2643

Currently unrated

Key Information:

Vendor: WordPress
Status: Floating Notification Bar, Sticky Menu On Scroll, Announcement Banner, And Sticky Header For Any Theme
Vendor: CVE Published:; 15 May 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2024-2643?

The Sticky Menu on Scroll, Announcement Banner, and Sticky Header plugin for WordPress prior to version 2.6.8 has been identified to allow high privilege users, such as administrators, to execute stored Cross-Site Scripting (XSS) attacks. This occurs due to the ineffective sanitization and escaping of certain settings, opening vulnerabilities in configurations that should restrict unfiltered HTML capability. This can be particularly concerning in multisite setups.

Affected Version(s)

Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any Theme 0 < 2.6.8

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-2643 - Proof of Concept

References

https://wpscan.com/vulnerability/194ebf81-8fe4-4c74-8174-...

exploitvdb-entrytechnical-description

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
May 15, 2025
👾
Exploit known to exist
May 15, 2025
Vulnerability published
May 15, 2025
Vulnerability Reserved
Mar 19, 2024

Credit

Dmitrii Ignatyev

WPScan