CVE-2021-39340 : What You Need to Know

The Notification WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization, affecting versions up to and including 7.2.4.

Understanding CVE-2021-39340

This CVE describes an Authenticated Stored Cross-Site Scripting vulnerability in the Notification - Custom Notifications and Alerts for WordPress plugin.

What is CVE-2021-39340?

The vulnerability allows attackers with administrative user access to inject arbitrary web scripts through certain parameters, impacting multi-site installations where unfiltered_html is disabled for administrators.

The Impact of CVE-2021-39340

The CVSS base score is 4.8, categorizing the severity as MEDIUM. The vulnerability has low confidentiality and integrity impacts, requiring high privileges and user interaction.

Technical Details of CVE-2021-39340

This section provides in-depth technical information about the vulnerability.

Vulnerability Description

Insufficient input validation and sanitization in the Notification plugin's ~/src/classes/Utils/Settings.php file allow attackers to execute Stored Cross-Site Scripting attacks.

Affected Systems and Versions

Product: Notification – Custom Notifications and Alerts for WordPress
Version: <= 7.2.4
Type: Custom

Exploitation Mechanism

Attackers with administrative user access can exploit the vulnerability by injecting malicious scripts via specific parameters in the plugin, affecting sites with disabled unfiltered_html.

Mitigation and Prevention

To address CVE-2021-39340, follow these mitigation steps and best security practices.

Immediate Steps to Take

Update the Notification plugin to version 8.0.0 or newer.

Long-Term Security Practices

Regularly review and update security configurations.
Educate users on safe practices to prevent XSS attacks.

Patching and Updates

Stay informed about security patches and updates for the Notification WordPress plugin to mitigate the risk of vulnerabilities.