WordPress Announce from the Dashboard Plugin <= 1.5.1 is vulnerable to Cross Site Scripting (XSS)

Vulnerability

Auth (admin+) Stored Cross-Site Scripting (XSS) in gqevu6bsiz's Announce from the Dashboard plugin for WordPress, affecting versions up to and including 1.5.1. The vulnerability resides in the plugin's announcement feature, where an administrator can create announcements that are displayed on the dashboard. Insufficient sanitization of the announcement content allows malicious JavaScript to be stored and executed in the context of the admin dashboard pages [1].

Exploitation

The attacker must have admin-level access to the WordPress site (at least the capability to create/edit announcements, which is typically admin or higher). No additional authentication or special conditions are required beyond standard WordPress admin privileges. The attacker creates or edits an announcement and injects JavaScript payload into the announcement content; when other admin users view the dashboard, the payload executes [1]. The stored XSS persists in the announcement data until removed.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the browser of any admin user viewing the dashboard announcements. This could lead to session hijacking, credential theft, defacement, or other actions performed within the victim's authenticated admin session [1]. Since the payload runs in the admin context, the attacker could also gain full administrative control over the WordPress instance.

Mitigation

The vulnerability is fixed in version 1.5.2, released 2023-02-11, and further updated in version 1.5.3, released 2024-03-30 [1]. Users should update to at least version 1.5.2 (or later) immediately. No workarounds are documented in the available references; the only mitigation is to apply the plugin update.