Description
The AJS Footnotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'note_list_class' and 'popup_display_effect_in' parameters in all versions up to, and including, 1.0 due to missing authorization and nonce verification on settings save, as well as insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to update plugin settings and inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-01-14
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The AJS Footnotes plugin for WordPress contains a stored cross‑site scripting flaw that allows an unauthenticated user to modify the "note_list_class" and "popup_display_effect_in" settings via the settings form. Because the plugin bypasses authorization checks, omits nonce validation, and fails to sanitize or escape these parameters, the malicious input is persisted in the database and later rendered on any page that includes the settings. This results in arbitrary JavaScript execution in the browsers of all site visitors who load an affected page.

Affected Systems

All installations of the AJS Footnotes plugin with version 1.0 or earlier, regardless of the WordPress core version, are vulnerable.

Risk and Exploitability

The CVSS score of 7.2 indicates moderate‑to‑high severity, while the EPSS score of less than 1 percent suggests that widespread exploitation is unlikely at present. The flaw is not listed in the CISA KEV catalog. An attacker can exploit the vulnerability by sending unauthenticated POST requests that modify the plugin settings, causing the injected script to be served to any visitor. Inferred from typical XSS outcomes, the payload could be used to deface the site, steal session cookies, or launch other client‑side attacks, though these consequences are not explicitly documented in the description.

Generated by OpenCVE AI on April 22, 2026 at 03:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable or delete the AJS Footnotes plugin from the WordPress installation to prevent execution of stored scripts.
  • Apply a custom patch that enforces user authentication and nonce validation for the plugin’s settings form, and that properly sanitizes and escapes the "note_list_class" and "popup_display_effect_in" parameters before storing them.
  • Deploy a Web Application Firewall rule that blocks POST requests to the plugin’s settings endpoint unless they contain a valid nonce and are made by an authenticated user.
  • Verify the plugin version; if it is 1.0 or earlier, schedule migration to a newer version once a vendor update addressing the flaw is released.
  • Conduct a security audit of the WordPress installation to detect other potential XSS or authentication bypass vulnerabilities and enable active monitoring tools to alert on suspicious changes.

Generated by OpenCVE AI on April 22, 2026 at 03:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 15 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 14 Jan 2026 05:45:00 +0000

Type Values Removed Values Added
Description The AJS Footnotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'note_list_class' and 'popup_display_effect_in' parameters in all versions up to, and including, 1.0 due to missing authorization and nonce verification on settings save, as well as insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to update plugin settings and inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title AJS Footnotes <= 1.0 - Unauthenticated Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:51:32.865Z

Reserved: 2025-12-30T20:23:43.854Z

Link: CVE-2025-15378

cve-icon Vulnrichment

Updated: 2026-01-15T18:44:09.432Z

cve-icon NVD

Status : Deferred

Published: 2026-01-14T06:15:54.437

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-15378

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T04:00:07Z

Weaknesses