Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arefly WP Header Notification wp-header-notification allows Stored XSS.This issue affects WP Header Notification: from n/a through <= 1.2.7.
Published: 2025-01-07
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during web page generation allows an attacker to inject malicious scripts that are stored and served to all users. This stored XSS flaw can lead to phishing, cookie theft, or malicious code execution on the browsing context of visitors. The vulnerability is classified as CWE‑79, representing a failure to properly escape special characters before rendering user input.

Affected Systems

Arefly WP Header Notification plugin is affected from the earliest release through version 1.2.7. All installations using any of those versions are vulnerable regardless of the WordPress core version.

Risk and Exploitability

Based on the description, the likely attack vector is an attacker injecting malicious payloads via the notification configuration interface. The CVSS score of 5.9 indicates a moderate impact, while the EPSS score of less than 1 % suggests the probability of exploitation is currently low. The plugin does not receive a KEV listing, so it is not known to be actively exploited in the wild. Exploitation requires the attacker to supply a malicious payload in a stored field that the plugin renders unescaped, typically through the notification configuration interface. Once injected, the script runs in the browser context of any visitor viewing pages where the notification is displayed.

Generated by OpenCVE AI on May 2, 2026 at 06:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Header Notification plugin to a version newer than 1.2.7 or permanently disable the plugin if an update is unavailable.
  • For sites that must remain on the vulnerable version, remove or sanitize all stored notifications by using WordPress’s sanitization functions such as sanitize_text_field() before rendering.
  • Deploy a Content Security Policy restricting script sources, and enable the XSS filter headers in the web server to mitigate the impact of any residual vulnerabilities.

Generated by OpenCVE AI on May 2, 2026 at 06:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2854 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arefly WP Header Notification allows Stored XSS.This issue affects WP Header Notification: from n/a through 1.2.7.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arefly WP Header Notification allows Stored XSS.This issue affects WP Header Notification: from n/a through 1.2.7. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arefly WP Header Notification wp-header-notification allows Stored XSS.This issue affects WP Header Notification: from n/a through <= 1.2.7.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Tue, 07 Jan 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Jan 2025 15:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arefly WP Header Notification allows Stored XSS.This issue affects WP Header Notification: from n/a through 1.2.7.
Title WordPress WP Header Notification plugin <= 1.2.7 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:01.975Z

Reserved: 2025-01-07T10:23:42.744Z

Link: CVE-2025-22579

cve-icon Vulnrichment

Updated: 2025-01-07T16:34:49.070Z

cve-icon NVD

Status : Deferred

Published: 2025-01-07T16:15:54.130

Modified: 2026-06-17T08:48:25.777

Link: CVE-2025-22579

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T07:00:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')