CVE-2025-1672
Notibar <= 2.1.5 - Authenticated (Administrator+) Stored Cross-Site ScriptingThe Notibar – Notification Bar for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
We have discovered 1,177 live websites that are affected by CVE-2025-1672.
Affected Software
| Product |  Notibar |
| Category | Wordpress Plugins |
| Vulnerable Domains | 1,177 live websites (91.95% of Notibar install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 13 versions ( 92.86% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - Mar 6, 2025
- Updated - Mar 6, 2025
Credits
- Khang Duong (finder)
CWE
CVE References
CWE References
CVE-2025-1672 usage by Country
 United States | 584 websites |
 Germany | 101 websites |
 France | 67 websites |
 GB | 44 websites |
 Canada | 35 websites |
 Australia | 25 websites |
 Netherlands | 24 websites |
 Italy | 23 websites |
 Spain | 20 websites |
 Denmark | 19 websites |
CVE-2025-1672 usage by TLD
| .com | 556 websites |
| .org | 90 websites |
| .co.uk | 46 websites |
| .com.au | 42 websites |
| .de | 40 websites |
| .ca | 34 websites |
| .fr | 24 websites |
| .it | 22 websites |
| .net | 20 websites |
| .nl | 20 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-1672
Top websites that are affected by CVE-2025-1672. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *********.com | United States | ***,*** | |
| **********.org | United States | ***,*** | |
| ******.nl | Netherlands | ***,*** | |
| *******************.com | United States | ***,*** | |
| ************.com | United States | ***,*** | |
| ********.com |  Vietnam | ***,*** | |
| ***********.com | United States | ***,*** | |
| *******.com | United States | ***,*** | |
| **********.com | United States | ***,*** | |
| ***************.com | United States | ***,*** |
FAQ
CVE-2025-1672 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Notibar
A total of 1,177 websites have been identified as vulnerable to CVE-2025-1672, discovered through global website indexing conducted by WebTechSurvey.
Notibar is susceptible to CVE-2025-1672 vulnerability.
Notibar versions before, and including, 2.1.5 are vulnerable to CVE-2025-1672.