CVE-2025-12033
Simple Banner <= 3.0.10 - Authenticated (Admin+) Stored Cross-Site Scripting
The Simple Banner – Easily add multiple Banners/Bars/Notifications/Announcements to the top or bottom of your website plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pro_version_activation_code' parameter in all versions up to, and including, 3.0.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
| CWE | CWE-79 |
| Vendor | rpetersen29 |
| Product | simple banner – easily add multiple banners/bars/notifications/announcements to the top or bottom of your website |
| Published | Oct 22, 2025 |
| Last Updated | Apr 8, 2026 |
Get instant alerts for rpetersen29 simple banner – easily add multiple banners/bars/notifications/announcements to the top or bottom of your website
Be the first to know when new medium vulnerabilities affecting rpetersen29 simple banner – easily add multiple banners/bars/notifications/announcements to the top or bottom of your website are published — delivered to Slack, Telegram or Discord.
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N