CVE-2024-11727: 
WordPress vulnerability analysis and mitigation

The NotificationX WordPress plugin (Live Sales Notification, WooCommerce Sales Popup, FOMO, Social Proof, Announcement Banner & Floating Notification Top Bar) was found to contain a Stored Cross-Site Scripting vulnerability in versions up to and including 2.9.3. The vulnerability was discovered by Nguyen Khanh Hao and was assigned CVE-2024-11727 on December 12, 2024 (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the plugin's content settings for notifications. The issue has been assigned a CVSS v3.1 base score of 4.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD, Wordfence).

The vulnerability allows authenticated attackers with administrator-level permissions to inject arbitrary web scripts into pages. When exploited, these malicious scripts will execute whenever a user accesses an affected page. The impact is specifically limited to multi-site installations and installations where unfiltered_html has been disabled (NVD).

A fix has been implemented in the plugin's source code, as evidenced by the changes in the WordPress plugin repository (WordPress Plugin). Users should update to the latest version of the plugin when available.