What the vulnerability does
01Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gingerplugins Notification Bar, Sticky Notification Bar, Sticky Welcome Bar for any theme gp-notification-bar allows Stored XSS.This issue affects Notification Bar, Sticky Notification Bar, Sticky Welcome Bar for any theme: from n/a through <= 1.1.
Explanation of Vulnerability in Simple Terms
02Summary
A stored cross-site scripting (XSS) vulnerability exists in Notification Bar and related plugins versions 1.1 and earlier. An authenticated admin can inject malicious JavaScript into notification settings. When site visitors view pages with the notification bar, the injected script executes in their browsers, potentially stealing session data or redirecting them to malicious sites.
What an attacker can do
03Attacker Capabilities
Run malicious JavaScript in visitors' browsers to steal cookies, redirect them, or deface content.
Potential impact on your site
04Site Impact
Compromised admin account can inject malicious code affecting all site visitors without their knowledge.
Conditions required to exploit
05Prerequisites
Admin-level access to the WordPress site; victim must view a page displaying the notification bar.
Key dates
06Disclosure timeline
March 31, 2025
CVE published
April 28, 2026
Record updated