CVE-2025-0629 in Coronavirus Notice Message Plugin
Summary
by MITRE • 03/11/2025
The Coronavirus (COVID-19) Notice Message WordPress plugin through 1.1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/11/2025
The vulnerability identified as CVE-2025-0629 affects the Coronavirus COVID-19 Notice Message WordPress plugin version 1.1.2 and earlier, representing a critical security flaw that undermines the integrity of web applications. This issue stems from inadequate input sanitization and output escaping mechanisms within the plugin's codebase, creating an avenue for malicious actors to exploit stored cross-site scripting vulnerabilities. The vulnerability specifically targets high-privilege users such as administrators who possess the capability to modify plugin settings, making it particularly dangerous in multi-site WordPress environments where such privileges are commonly granted.
The technical flaw manifests when the plugin processes user-supplied input through its settings interface without properly sanitizing or escaping the data before storing it in the database. This oversight allows attackers with administrative privileges to inject malicious scripts that persist within the plugin's configuration settings. Even when WordPress installations restrict the unfiltered_html capability - a security measure commonly implemented in multisite setups to prevent unauthorized HTML injection - the vulnerability remains exploitable due to the plugin's failure to implement proper data sanitization at the point of storage. This represents a direct violation of secure coding practices and falls under the CWE-79 category for Cross-Site Scripting, specifically the stored variant where malicious scripts are permanently stored on the server.
The operational impact of this vulnerability extends beyond simple data corruption or unauthorized access. Attackers can leverage this flaw to execute arbitrary JavaScript code within the context of any user's browser who views the plugin's affected settings page or any page where the stored content is displayed. In a multisite environment, this threat multiplies as compromised administrators can affect multiple sites within the network. The vulnerability enables potential attacks such as session hijacking, credential theft, redirection to malicious sites, and data exfiltration. The persistence of stored XSS attacks makes this particularly dangerous because the malicious code executes automatically whenever affected pages are loaded, creating ongoing security risks for all users who interact with the compromised WordPress installation.
Mitigation strategies for CVE-2025-0629 should focus on immediate remediation through plugin updates to versions that properly sanitize and escape all user inputs. System administrators must ensure that all WordPress plugins are regularly updated and maintained, with particular attention to security patches released by plugin developers. Additionally, implementing proper input validation and output escaping mechanisms should be enforced through security reviews of all plugin code. The principle of least privilege should be maintained by restricting administrative access to only necessary personnel and implementing role-based access controls. Organizations should also consider implementing Content Security Policy headers as an additional defense-in-depth measure to mitigate the impact of potential XSS attacks, though this should not be considered a substitute for proper input sanitization. Regular security audits and vulnerability assessments of WordPress installations are essential to identify and remediate similar issues before they can be exploited by malicious actors.