Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rocket Apps Notely notely allows Stored XSS.This issue affects Notely: from n/a through <= 1.8.0.
Published: 2025-09-26
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an instance of improper neutralization of input during web page generation, allowing an attacker to inject malicious scripts that are stored and served to all visitors. The stored XSS can execute arbitrary JavaScript within the context of the website, potentially enabling session hijacking, defacement, or the execution of malicious payloads. The weakness aligns with CWE‑79, where a lack of output encoding permits injection of executable code.

Affected Systems

This flaw exists in the WordPress Notely plugin provided by Rocket Apps, specifically for versions n/a through 1.8.0. Users running any of those releases are susceptible, regardless of the WordPress core version. The vulnerability is tied to the plugin’s handling of user‑supplied content that is displayed on the site.

Risk and Exploitability

The CVSS score of 5.9 indicates medium severity for this stored XSS flaw. The EPSS score is below 1%, suggesting a very low probability of widespread exploitation at present. The vulnerability is not listed in CISA's KEV catalog. Based on the description that the issue allows Stored XSS in Notely versions up to 1.8.0, the likely attack path involves an attacker injecting malicious content through the plugin’s input fields, which is subsequently rendered on pages that visitors load. This inference is drawn directly from the stated vulnerability type; the CVE data does not specify additional prerequisites or constraints, so the attack vector is inferred to be via user‑controlled input that is displayed. Successful exploitation could lead to session hijacking or arbitrary script execution for any user who views the affected content.

Generated by OpenCVE AI on April 30, 2026 at 05:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Notely plugin to a version newer than 1.8.0 when an update becomes available from Rocket Apps.
  • If an update is unavailable, remove or disable the Notely plugin until a patched version is released.
  • Apply content sanitization or escaping on any stored data, or install a Web Application Firewall rule that blocks typical XSS payloads.
  • Restrict the plugin’s functionality to trusted administrators, limiting the number of users who can create or edit content that is rendered.

Generated by OpenCVE AI on April 30, 2026 at 05:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31255 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michael Ott Notely allows Stored XSS. This issue affects Notely: from n/a through 1.8.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michael Ott Notely allows Stored XSS. This issue affects Notely: from n/a through 1.8.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rocket Apps Notely notely allows Stored XSS.This issue affects Notely: from n/a through <= 1.8.0.
Title WordPress Notely Plugin <= 1.8.0 - Cross Site Scripting (XSS) Vulnerability WordPress Notely plugin <= 1.8.0 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Mon, 29 Sep 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 26 Sep 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Sep 2025 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michael Ott Notely allows Stored XSS. This issue affects Notely: from n/a through 1.8.0.
Title WordPress Notely Plugin <= 1.8.0 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:55.771Z

Reserved: 2025-09-25T15:28:03.106Z

Link: CVE-2025-60149

cve-icon Vulnrichment

Updated: 2025-09-26T13:07:21.052Z

cve-icon NVD

Status : Deferred

Published: 2025-09-26T09:15:43.390

Modified: 2026-04-23T15:34:18.813

Link: CVE-2025-60149

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T06:00:12Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')