CVE-2025-49389

Vulnerability

Overview The Notice Bar WordPress plugin versions 3.1.3 and earlier contain a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of input during web page generation [1]. The core issue lies in insufficient sanitization of user-supplied data, enabling persistent injection of arbitrary HTML and JavaScript into the plugin's output stored in the database.

Exploitation

Prerequisites Exploitation requires an authenticated user with elevated privileges — specifically those who can configure the plugin settings — to perform an action such as submitting a crafted form or clicking a malicious link [1]. The attacker must first persuade a privileged user to initiate the payload, after which the injected script executes automatically for any visitor loading the affected page. No further user interaction is needed for the stored script to run.

Impact

Successful exploitation allows an attacker to inject arbitrary HTML and JavaScript into the WordPress site [1]. This can be used to redirect visitors to malicious sites, display unauthorized advertisements, exfiltrate session cookies, or perform other client-side attacks. Since the injection is stored, the malicious content persists and affects all subsequent visitors until the payload is removed.

Mitigation

The vendor has released version 3.1.4 which resolves the vulnerability [1]. All users should update to this version immediately. For Patchstack users, auto-updates can be enabled for vulnerable plugins. Those unable to update should contact their hosting provider or web developer for assistance. Although the CVSS score is 6.5 (Medium) and the advisory suggests low exploitation likelihood, Stored XSS vulnerabilities can be leveraged in mass-exploit campaigns targeting thousands of sites [1].