CVE-2024-13866 Information
Mar 07, 2025
cve
Description
The Simple Notification plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to and including 1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with administrator-level access to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Reference
https://wordpress.org/plugins/simple-notification/#developers https://www.wordfence.com/threat-intel/vulnerabilities/id/e814f798-5ebc-4bea-838f-d0a803f9bdbc?source=cve
Attack Complexity
LOW
Privileges Required
LOW
User Interaction Required
LOW
Scope
NONE
Confidentiality Impact
CHANGED
Integrity Impact
LOW
Availability Impact
LOW
Base Score
NONE
Base Severity
6.4
Share on: