CVE-2025-60149

Vulnerability

Overview The Notely plugin for WordPress versions up to and including 1.8.0 contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during page generation. This enables attackers to inject arbitrary web scripts into the plugin's database, which are then executed when users access affected pages [1].

Exploitation

Details Exploitation requires a privileged user (e.g., an author or editor) to perform a specific action, such as clicking a malicious link or submitting a crafted form. The attacker does not need direct access to the site but relies on tricking a user with adequate permissions to execute the injected script. This attack can be used in mass-exploit campaigns targeting thousands of sites simultaneously [1].

Impact

Successful exploitation allows the attacker to inject malicious scripts, including redirects, advertisements, or other HTML payloads. These scripts execute in the context of visitors' browsers, potentially leading to data theft, defacement, or further compromise of the site [1].

Mitigation

The vulnerability has been addressed in Notely version 1.9.0. Users are strongly advised to update the plugin immediately. If unable to update, site administrators should disable the plugin or seek assistance from their hosting provider. Patchstack users can enable automatic updates for vulnerable plugins [1].