CVE-2026-1191
Stored XSS in JavaScript Notifier Plugin Allows Admin Script Injection
Publication date: 2026-01-24
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freemp | javascript_notifier | to 1.2.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the JavaScript Notifier plugin for WordPress, affecting all versions up to and including 1.2.8. It occurs because the plugin does not properly sanitize and escape user-supplied input in its settings, specifically in the wp_footer action. As a result, an authenticated attacker with administrator-level access can inject malicious scripts that execute whenever a user visits the affected page.
How can this vulnerability impact me? :
The vulnerability allows an attacker with admin access to inject arbitrary JavaScript code into pages viewed by users. This can lead to unauthorized actions such as stealing user credentials, session hijacking, defacement, or spreading malware. Since the malicious script executes in the context of the website, it can compromise the security and trustworthiness of the site for all visitors.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the JavaScript Notifier plugin version is 1.2.8 or earlier and if there are any suspicious scripts injected via the plugin settings. Since the vulnerability is a stored XSS via plugin settings, you can audit the plugin settings for unexpected script tags or payloads. There are no specific commands provided in the resources to detect this vulnerability on your system or network. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the JavaScript Notifier plugin to a version later than 1.2.8 where the vulnerability is fixed. Additionally, restrict administrator-level access to trusted users only, and audit plugin settings for any injected scripts to remove them. Implementing proper input sanitization and output escaping as per the plugin update is also critical. [2]