Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdever Target Notifications target-notifications allows Reflected XSS.This issue affects Target Notifications: from n/a through <= 1.1.1.
Published: 2025-01-07
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Target Notifications plugin for WordPress contains a Reflected Cross‑Site Scripting (XSS) flaw that occurs when the plugin does not properly neutralize user input before outputting it to a web page. Because the plugin echoes back data submitted by a user without filtering, an attacker could inject malicious JavaScript that would execute in the victim’s browser when the affected page is viewed. This vulnerability is classified under CWE‑79.

Affected Systems

WordPress sites that have installed the Target Notifications plugin version 1.1.1 or earlier are vulnerable. The plugin, distributed by wpdever and named Target Notifications, is affected on any WordPress environment where the plugin is active, regardless of underlying OS or WordPress version.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity. EPSS score of less than 1% indicates a low but non‑zero likelihood of exploitation. The flaw is not listed in the CISA KEV catalog. The likely attack scenario involves crafting a URL or submitting form data that the plugin reflects unfiltered, and it probably does not require authentication (this inference is based on the fact that the input is reflected directly). The impact is limited to script execution in the victim’s browser context.

Generated by OpenCVE AI on May 2, 2026 at 09:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Target Notifications to the latest released version (≥1.1.2).
  • If the plugin must remain at an older version, ensure that any data the plugin outputs is passed through the WordPress API sanitization functions such as wp_kses or add_filter to escape HTML.
  • Deploy or update a web application firewall rule to block or sanitize reflected XSS payloads targeting the plugin’s endpoints.

Generated by OpenCVE AI on May 2, 2026 at 09:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2755 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Simple Plugins Target Notifications allows Reflected XSS.This issue affects Target Notifications: from n/a through 1.1.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Simple Plugins Target Notifications allows Reflected XSS.This issue affects Target Notifications: from n/a through 1.1.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdever Target Notifications target-notifications allows Reflected XSS.This issue affects Target Notifications: from n/a through <= 1.1.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 07 Jan 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Jan 2025 11:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Simple Plugins Target Notifications allows Reflected XSS.This issue affects Target Notifications: from n/a through 1.1.1.
Title WordPress Target Notifications plugin <= 1.1.1 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:10:59.912Z

Reserved: 2025-01-03T13:16:57.347Z

Link: CVE-2025-22357

cve-icon Vulnrichment

Updated: 2025-01-07T15:51:49.589Z

cve-icon NVD

Status : Deferred

Published: 2025-01-07T11:15:19.013

Modified: 2026-06-17T08:46:44.557

Link: CVE-2025-22357

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T10:00:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')