CVE-2025-31610

Vulnerability

Overview

The Notification Bar, Sticky Notification Bar, Sticky Welcome Bar for any theme plugin (gp-notification-bar) for WordPress suffers from a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. Versions up to and including 1.1 are affected. The plugin fails to sanitize or escape input before storing it in the database and later rendering it on the frontend, allowing attackers to inject arbitrary HTML and JavaScript code [1].

Exploitation

Conditions

Exploitation requires a privileged user—such as an administrator—to perform an action like clicking a malicious link, visiting a crafted page, or submitting a specially crafted form. The attacker does not need direct access to the site; instead, they can trick a logged-in administrator into triggering the payload. Once the malicious input is saved, it will execute automatically for any visitor viewing the affected notification bar [1].

Impact

Successful exploitation enables an attacker to inject malicious scripts that can redirect visitors to phishing sites, display unwanted advertisements, steal session cookies, or deface the website. Because the injected code persists in the database, every subsequent page load that includes the notification bar will execute the payload, amplifying the attack's reach. This vulnerability is known to be used in mass-exploit campaigns targeting thousands of WordPress sites regardless of their size or popularity [1].

Mitigation

As an immediate action, update the plugin to the latest patched version if available. If no patch exists, consider disabling or removing the plugin until a fix is released. Site administrators should also review user roles and limit the number of users with elevated privileges to reduce the attack surface [1].