{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1191", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-19T13:45:14.423Z", "datePublished": "2026-01-24T09:08:07.887Z", "dateUpdated": "2026-04-08T17:10:25.216Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:10:25.216Z"}, "affected": [{"vendor": "freemp", "product": "JavaScript Notifier", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The JavaScript Notifier plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 1.2.8. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the `wp_footer` action. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "JavaScript Notifier <= 1.2.8 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/97696702-4d40-41dd-a25f-f2ee7681a2c9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/javascript-notifier/trunk/javascript-notifier.php#L75"}, {"url": "https://plugins.trac.wordpress.org/browser/javascript-notifier/tags/1.2.8/javascript-notifier.php#L75"}, {"url": "https://plugins.trac.wordpress.org/changeset/3449861/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Bhumividh Treloges"}], "timeline": [{"time": "2026-01-23T20:32:01.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-26T17:40:00.715595Z", "id": "CVE-2026-1191", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T17:40:10.418Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1191", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-26T17:40:00.715595Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T17:40:06.617Z"}}], "cna": {"title": "JavaScript Notifier <= 1.2.8 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings", "credits": [{"lang": "en", "type": "finder", "value": "Bhumividh Treloges"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "freemp", "product": "JavaScript Notifier", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.2.8"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-23T20:32:01.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/97696702-4d40-41dd-a25f-f2ee7681a2c9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/javascript-notifier/trunk/javascript-notifier.php#L75"}, {"url": "https://plugins.trac.wordpress.org/browser/javascript-notifier/tags/1.2.8/javascript-notifier.php#L75"}], "descriptions": [{"lang": "en", "value": "The JavaScript Notifier plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 1.2.8. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the `wp_footer` action. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-01-24T09:08:07.887Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1191", "state": "PUBLISHED", "dateUpdated": "2026-01-26T17:40:10.418Z", "dateReserved": "2026-01-19T13:45:14.423Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-24T09:08:07.887Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The JavaScript Notifier plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 1.2.8. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the `wp_footer` action. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin JavaScript Notifier para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s de la configuraci\u00f3n del plugin en todas las versiones hasta la 1.2.8, inclusive. Esto se debe a una sanitizaci\u00f3n de entrada insuficiente y un escape de salida inadecuado en los atributos proporcionados por el usuario en la acci\u00f3n 'wp_footer'. Esto hace posible que atacantes autenticados, con acceso de nivel de administrador, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2026-1191", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-24T09:15:53.847", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/javascript-notifier/tags/1.2.8/javascript-notifier.php#L75"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/javascript-notifier/trunk/javascript-notifier.php#L75"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3449861/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/97696702-4d40-41dd-a25f-f2ee7681a2c9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T01:23:47.095697+00:00", "value": {"mitigation_remediation": ["Upgrade the JavaScript Notifier plugin to the latest version (at least\u00a01.2.9).", "If an upgrade cannot be performed immediately, disable or delete the plugin to eliminate the attack vector.", "After applying the fix or disabling the plugin, review the site footer for any remaining injected scripts and remove any custom code that may have been added before the patch."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All installations of the JavaScript Notifier plugin with version\u00a01.2.8 or earlier are affected. The vulnerability is exploitable by anyone with administrator\u2011level privileges to the WordPress site and applies to all pages that load the plugin\u2019s footer code.", "description_and_impact": "The JavaScript Notifier WordPress plugin is vulnerable because user\u2011supplied attributes in plugin settings are not properly sanitized. An administrator can inject arbitrary JavaScript that is rendered in the page footer, causing the code to run for any visitor to the site. This stored cross\u2011site scripting attack leverages insufficient input sanitization and output escaping on user\u2011supplied attributes in the wp_footer action. The weakness corresponds to CWE\u201179.", "risk_and_exploitability": "The CVSS score of\u00a04.4 indicates low severity, but the EPSS score of less than\u00a01% suggests a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authentic access with administrative rights and relies on the attacker inserting malicious content into plugin settings, which will then be served to all site visitors. The overall risk is low, primarily driven by the credential requirement and low exploit likelihood."}}}}, "created": "2026-01-26T11:48:28.855434+00:00", "updated": "2026-04-16T01:30:20.312163+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}