CVE-2025-0629: 
WordPress vulnerability analysis and mitigation

The Coronavirus (COVID-19) Notice Message WordPress plugin through version 1.1.2 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and disclosed on February 18, 2025, and was assigned CVE-2025-0629. This security issue affects WordPress installations using the Coronavirus Notice Message plugin (WPScan).

The vulnerability stems from improper sanitization and escaping of plugin settings. This security flaw exists even when the unfiltered_html capability is disallowed, such as in multisite setups. The vulnerability has been assigned a CVSS 3.1 base score of 4.8 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD).

When successfully exploited, this vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks. This could potentially lead to the execution of arbitrary JavaScript code in users' browsers who view the affected pages (WPScan).

As of the vulnerability disclosure, there is no known fix available for this security issue. Users of the Coronavirus (COVID-19) Notice Message WordPress plugin should consider either removing the plugin or implementing additional security controls to mitigate the risk (WPScan).