CVE-2025-15378
Stored XSS in AJS Footnotes Plugin Allows Settings Injection
Publication date: 2026-01-14
Last updated on: 2026-01-14
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | ajs_footnotes | to 1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects the AJS Footnotes plugin for WordPress (version 1.0 and earlier). It is a Stored Cross-Site Scripting (XSS) flaw caused by missing authorization and nonce verification when saving settings, combined with insufficient input sanitization and output escaping. This allows unauthenticated attackers to modify plugin settings and inject malicious scripts that execute whenever a user visits an affected page.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can inject arbitrary web scripts into pages using the vulnerable plugin. These scripts execute in the context of users visiting those pages, potentially leading to theft of user credentials, session hijacking, defacement, or distribution of malware. Since the attacker does not need to be authenticated, the risk is higher, and it can compromise site integrity and user trust.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the AJS Footnotes WordPress plugin version 1.0 or earlier is installed and if the vulnerable parameters ('note_list_class' and 'popup_display_effect_in') can be manipulated. Since the vulnerability allows unauthenticated attackers to update plugin settings via missing authorization and nonce verification, one can look for suspicious HTTP POST requests to the plugin's settings endpoint that include these parameters. Commands to detect this might include using curl or similar tools to test for unauthorized settings changes, for example: curl -X POST -d 'note_list_class=<script>alert(1)</script>&popup_display_effect_in=fadeIn' http://targetsite/wp-admin/admin.php?page=ajs_footnotes_options. Additionally, scanning the WordPress installation for the plugin version can be done by checking the plugin files or querying the WordPress plugin API. However, no specific detection commands are provided in the resources. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include removing or disabling the AJS Footnotes plugin if it is not essential, or updating it if a fixed version beyond 1.0 is available. Since the vulnerability arises from missing authorization and nonce verification on settings save and insufficient input sanitization, restricting access to the plugin's settings page to trusted administrators only and applying Web Application Firewall (WAF) rules to block suspicious requests targeting the vulnerable parameters can help. Additionally, monitoring and sanitizing inputs related to 'note_list_class' and 'popup_display_effect_in' parameters can reduce risk. Since no fixed version is mentioned, disabling the plugin until a patch is released is advisable. [2]