Description
The JavaScript Notifier plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 1.2.8. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the `wp_footer` action. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-01-24
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The JavaScript Notifier WordPress plugin is vulnerable because user‑supplied attributes in plugin settings are not properly sanitized. An administrator can inject arbitrary JavaScript that is rendered in the page footer, causing the code to run for any visitor to the site. This stored cross‑site scripting attack leverages insufficient input sanitization and output escaping on user‑supplied attributes in the wp_footer action. The weakness corresponds to CWE‑79.

Affected Systems

All installations of the JavaScript Notifier plugin with version 1.2.8 or earlier are affected. The vulnerability is exploitable by anyone with administrator‑level privileges to the WordPress site and applies to all pages that load the plugin’s footer code.

Risk and Exploitability

The CVSS score of 4.4 indicates low severity, but the EPSS score of less than 1% suggests a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authentic access with administrative rights and relies on the attacker inserting malicious content into plugin settings, which will then be served to all site visitors. The overall risk is low, primarily driven by the credential requirement and low exploit likelihood.

Generated by OpenCVE AI on April 16, 2026 at 01:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the JavaScript Notifier plugin to the latest version (at least 1.2.9).
  • If an upgrade cannot be performed immediately, disable or delete the plugin to eliminate the attack vector.
  • After applying the fix or disabling the plugin, review the site footer for any remaining injected scripts and remove any custom code that may have been added before the patch.

Generated by OpenCVE AI on April 16, 2026 at 01:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Mon, 26 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 24 Jan 2026 09:15:00 +0000

Type Values Removed Values Added
Description The JavaScript Notifier plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 1.2.8. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the `wp_footer` action. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title JavaScript Notifier <= 1.2.8 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:10:25.216Z

Reserved: 2026-01-19T13:45:14.423Z

Link: CVE-2026-1191

cve-icon Vulnrichment

Updated: 2026-01-26T17:40:06.617Z

cve-icon NVD

Status : Deferred

Published: 2026-01-24T09:15:53.847

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1191

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T01:30:20Z

Weaknesses