Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPDeveloper NotificationX notificationx allows Stored XSS.This issue affects NotificationX: from n/a through <= 2.9.5.
Published: 2025-02-03
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation that allows stored cross‑site scripting (XSS) in the WPDeveloper NotificationX plugin. Because the payload is persisted through the plugin’s storage mechanisms, it will be delivered to every browser that renders the affected content. The impact is limited to the web application and the browsers of site visitors; no compromise of the underlying WordPress installation or server is described in the official disclosure.

Affected Systems

This issue affects the WPDeveloper NotificationX plugin for WordPress in any installation running version 2.9.5 or earlier. The vulnerability is listed for all releases up to and including 2.9.5; later versions are not affected.

Risk and Exploitability

The CVSS base score of 6.5 indicates moderate severity. The EPSS score of less than 1% suggests a very low but non‑zero probability that this vulnerability is exploited in the wild, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves an attacker with the ability to enter data into the plugin’s content creation or editing interface; after the input is stored, any user who views the affected page will receive the malicious script. This inference is drawn from the wording that the flaw permits stored XSS, but the exact prerequisites are not explicitly stated in the supplied information.

Generated by OpenCVE AI on May 2, 2026 at 09:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the NotificationX plugin to a version newer than 2.9.5 if an updated release is available, where the stored XSS issue is resolved.
  • If an upgrade cannot be performed immediately, disable or remove the NotificationX plugin to eliminate the vulnerable code path.
  • Ensure that any content accepted by the plugin is properly sanitized or enforce a strict content‑security‑policy to mitigate exposure to unfiltered input.

Generated by OpenCVE AI on May 2, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2911 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPDeveloper NotificationX allows Stored XSS. This issue affects NotificationX: from n/a through 2.9.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPDeveloper NotificationX allows Stored XSS. This issue affects NotificationX: from n/a through 2.9.5. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPDeveloper NotificationX notificationx allows Stored XSS.This issue affects NotificationX: from n/a through <= 2.9.5.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Fri, 23 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wpdeveloper:notificationx:*:*:*:*:free:wordpress:*:*

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00034}

 epss

{'score': 0.00044}

Mon, 03 Feb 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 03 Feb 2025 14:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPDeveloper NotificationX allows Stored XSS. This issue affects NotificationX: from n/a through 2.9.5.
Title WordPress NotificationX plugin <= 2.9.5 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wpdeveloper Notificationx
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:04.334Z

Reserved: 2025-01-07T21:03:06.952Z

Link: CVE-2025-22683

cve-icon Vulnrichment

Updated: 2025-02-03T15:19:15.756Z

cve-icon NVD

Status : Modified

Published: 2025-02-03T15:15:18.440

Modified: 2026-04-23T15:23:23.487

Link: CVE-2025-22683

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T09:30:20Z

Weaknesses