CVE-2025-60136

Vulnerability

Overview The User Notes plugin for WordPress, versions 1.0.2 and earlier, contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw falls under CWE-79 and allows an authenticated attacker with the necessary privileges to inject arbitrary HTML and JavaScript into the plugin's notes functionality, which is then stored and executed when other users view the affected page [1].

Exploitation

Details Attackers must have a privileged role (such as a subscriber or higher) to exploit this vulnerability [1]. Successful exploitation also requires user interaction, such as a victim visiting a crafted link or a page containing the malicious note [1]. Once the script is stored in a note, it will execute in the browsers of other users (including site administrators) who access the area where the note is displayed, leading to a Stored XSS scenario [1].

Impact

A successful attack allows the malicious actor to inject arbitrary scripts, redirect visitors to malicious sites, display unwanted advertisements, or perform other actions within the context of the victim's browser session [1]. This can result in credential theft, session hijacking, or defacement of the WordPress site.

Mitigation

The vulnerability is addressed in version 1.0.3 of the plugin [1]. Users are strongly advised to update immediately. Those unable to update should request assistance from their hosting provider or web developer [1]. Patchstack users can enable auto-updates for vulnerable plugins to stay protected automatically [1].