CVE-2025-23741

Vulnerability

Description The Notifications Center plugin for WordPress, versions up to and including 1.5.2, contains a reflected cross-site scripting (XSS) vulnerability. The root cause is improper neutralization of user input during web page generation. This allows an attacker to inject arbitrary HTML or JavaScript code into the response page.

Exploitation

Details Exploitation requires user interaction. A privileged user (such as an administrator) must click a malicious link, visit a crafted page, or submit a specially formed form that triggers the vulnerability. The attacker does not need prior authentication to the WordPress site but relies on tricking an authenticated user into performing an action [1].

Impact

Successful exploitation could allow a malicious actor to inject scripts that execute in the context of the victim's browser session. This can be used to perform actions like redirecting visitors, displaying advertisements, or stealing session cookies. The vulnerability is considered moderately dangerous and is expected to be included in mass-exploit campaigns targeting thousands of websites [1].

Mitigation

The plugin vendor advises an immediate update. Users unable to update should contact their hosting provider or web developer for alternative protections, such as applying a virtual patch [1].