The Top Bar Notification plugin for WordPress contains a critical flaw where the th tbn_ajax_add() function does not correctly validate the nonce. This missing protection allows an attacker to perform a cross‑site request forgery that updates the plugin’s settings and injects malicious scripts into the site’s stored data. The resulting stored cross‑site scripting can lead to execution of arbitrary JavaScript in the context of site visitors, potentially compromising user sessions, defacing content, or facilitating further attacks through replayed payloads.

Users of the Top Bar Notification plugin from vendor josereyev, specifically all releases version 1.12 and earlier, are affected. No specific patch levels are listed, but the vulnerability applies to the entire vulnerability window up to and including 1.12.

The CVSS score of 6.1 indicates moderate severity, and the EPSS score being less than 1% suggests a low but non‑zero likelihood of exploitation under current threat conditions. The vulnerability is not listed in the CISA KEV catalog. Successful exploitation requires an unauthenticated attacker to trick a site administrator into triggering the forged AJAX request, typically via a malicious link or phishing email. While the attack surface is restricted to users with administrative privileges, any admin click can activate the stored XSS, making the risk significant for active WordPress sites.