Stored Cross-Site Scripting in Coronavirus (COVID-19) Notice Message WordPress Plugin
CVE-2025-0629

4.8MEDIUM

Key Information:

Vendor: WordPress
Status: Coronavirus (covid-19) Notice Message
Vendor: CVE Published:; 11 March 2025

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The Coronavirus (COVID-19) Notice Message WordPress plugin, in versions up to 1.1.2, has a significant security flaw where it fails to properly sanitize and escape certain settings. This oversight may enable users with high privileges, such as administrators, to execute Stored Cross-Site Scripting (XSS) attacks. Even in environments where the unfiltered_html capability is restricted, such as multisite setups, this vulnerability can be exploited to inject malicious scripts, leading to potential data compromise and manipulation.

Affected Version(s)

Coronavirus (COVID-19) Notice Message 0 <= 1.1.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-0629 - Proof of Concept

References

https://wpscan.com/vulnerability/39c36d6d-5522-422b-b890-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

🟡
Public PoC available
Mar 11, 2025
👾
Exploit known to exist
Mar 11, 2025
Vulnerability published
Mar 11, 2025
Vulnerability Reserved
Jan 21, 2025

Credit

Bob Matyas

WPScan