The Notification WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/src/classes/Utils/Settings.php file which made it possible for attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 7.2.4. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.
CPE | Name | Operator | Version |
---|---|---|---|
notification | eq | 6.1.4 | |
notification | eq | 7.2.3 | |
notification | eq | 6.1.1 | |
notification | eq | 6.3.2 | |
notification | eq | 6.0.1 | |
notification | eq | 5.2.4 | |
notification | eq | 6.3.1 | |
notification | eq | 1.1.2 | |
notification | eq | 6.0.4 | |
notification | eq | 2.2 |