Stored Cross-Site Scripting in Simple Banner Plugin for WordPress
CVE-2025-12033

4.4MEDIUM

Key Information:

Vendor: WordPress
Status: Simple Banner – Easily Add Multiple Banners/bars/notifications/announcements To The Top Or Bottom Of Your Website
Vendor: CVE Published:; 22 October 2025

What is CVE-2025-12033?

The Simple Banner plugin for WordPress allows users to add banners and notifications easily, yet it is susceptible to Stored Cross-Site Scripting (XSS) attacks. This vulnerability arises from the insufficient sanitization and escaping of the 'pro_version_activation_code' parameter. Authenticated attackers with administrative access can exploit this flaw in all versions up to and including 3.0.10, potentially injecting malicious scripts that execute when users visit affected pages. Notably, this issue primarily impacts multi-site installations or those disabling unfiltered HTML, underscoring the importance of regularly updating and securing WordPress plugins.

Affected Version(s)

Simple Banner – Easily add multiple Banners/Bars/Notifications/Announcements to the top or bottom of your website * <= 3.0.10

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 22, 2025
Vulnerability Reserved
Oct 21, 2025

Credit

Cody Sixteen

JSON