CVE-2024-11012
Description
The The Notibar – Notification Bar for WordPress plugin for WordPress is vulnerable to arbitrary shortcode execution via njt_nofi_text AJAX action in all versions up to, and including, 2.1.4. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Notibar plugin for WordPress (≤2.1.4) allows authenticated subscribers to execute arbitrary shortcodes via the njt_nofi_text AJAX action due to insufficient validation.
Vulnerability
Overview
The Notibar – Notification Bar for WordPress plugin (versions up to and including 2.1.4) contains an arbitrary shortcode execution vulnerability. The root cause lies in the njt_nofi_text AJAX action, which invokes do_shortcode() on user-supplied input without proper validation or sanitization [1]. This allows an attacker to inject and execute arbitrary WordPress shortcodes.
Exploitation
Prerequisites
Exploitation requires an authenticated WordPress user with at least Subscriber-level access. The vulnerable AJAX endpoint is accessible to such users, and no additional privileges are needed. The attacker can craft a request containing malicious shortcode syntax in the njt_nofi_text parameter, which the plugin then processes via do_shortcode().
Impact
Successful exploitation enables the attacker to execute any shortcode registered in the WordPress installation. This can lead to a variety of outcomes, such as injecting arbitrary content, exposing sensitive data (e.g., via shortcodes that output database information), or potentially escalating privileges if shortcodes that modify user roles or settings are available. The exact impact depends on the shortcodes present in the environment.
Mitigation
The vulnerability has been addressed in a subsequent release. Users are strongly advised to update the Notibar plugin to the latest version (2.1.5 or later) to remediate the issue. No workarounds are documented; updating is the recommended course of action.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=2.1.4
Patches
1r3205224Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.