CVE-2024-35170
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hidden Depth Sticky banner allows Stored XSS.This issue affects Sticky banner: from n/a through 1.2.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The WordPress Sticky Banner plugin ≤1.2.0 has a Stored XSS vulnerability allowing authenticated attackers to inject arbitrary scripts.
The Sticky Banner plugin for WordPress versions from n/a through 1.2.0 contains a Stored Cross-Site Scripting (XSS) vulnerability. The root cause is improper neutralization of user input during web page generation, enabling the injection of malicious scripts into banner content [1].
Exploitation requires a privileged user role to perform an action such as clicking a malicious link or visiting a crafted admin page. Once triggered, the injected script is stored on the server and executed when other users (including visitors) access the affected banner [1].
An attacker can leverage this to inject arbitrary HTML and JavaScript payloads, which may be used for redirects, displaying advertisements, or other malicious activities. This vulnerability is mass-exploitable in campaigns targeting thousands of websites regardless of their size or popularity [1].
The vulnerability has been patched in version 1.3.0. Users are advised to update immediately or enable auto-updates via Patchstack [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=1.2.0+ 1 more
- (no CPE)range: <=1.2.0
- (no CPE)range: <=1.2.0
Patches
1v1.4.0Release: sticky-banner 1.4.0 (next version after vulnerable 1.2.0)
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.