CVE-2025-1672
Description
The Notibar – Notification Bar for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Notibar plugin for WordPress (≤2.1.5) has a stored XSS vulnerability in admin settings, exploitable by admins on multisite or when unfiltered_html is disabled.
Vulnerability
Details
The Notibar – Notification Bar for WordPress plugin is vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to and including 2.1.5 [1]. The vulnerability arises from insufficient input sanitization and output escaping in the plugin's admin settings, allowing authenticated attackers with administrator-level permissions to inject arbitrary web scripts.
Exploitation
To exploit this vulnerability, an attacker must have administrator-level access to a WordPress installation. The attack is only effective on multi-site installations or on single-site installations where the unfiltered_html capability has been disabled. The injected scripts are stored and will execute whenever a user accesses a page containing the malicious payload.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of a victim's browser session. This can lead to session hijacking, defacement, or theft of sensitive information displayed on the affected pages.
Mitigation
Users should update the Notibar plugin to a patched version if available. As of the publication date, version 2.1.5 is the latest affected version; users are advised to check the plugin's WordPress.org page [1] for updates. Restricting administrator access and enabling unfiltered_html where possible can reduce the attack surface.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=2.1.5
Patches
1r3246799Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.