WordPress Notice Tracker Plugin Flaw Turns Third-Party XSS Into Site-Wide Amplification Risk
A vulnerability in the WordPress plugin Notice Tracker creates a mechanism by which stored cross-site scripting (XSS) vulnerabilities in other installed plugins can be amplified into persistent attacks affecting an entire WordPress installation. The flaw, documented as CVE candidates under CWE-79, centers on unescaped output of captured admin notice HTML—a design choice that transforms the plugin from a passive monitoring tool into a potential XSS amplifier.
The core issue resides in `class-notice-capture.php` at line 211, where the code `echo $notice_html` outputs raw HTML from captured admin notices without any sanitization. Rather than addressing a legitimate PHPCS warning flagged by WordPress.Security.EscapeOutput, the developers inserted a `phpcs:ignore` comment to suppress the alert. The intended logic treats other plugins' admin notices as trusted input, but this assumption collapses entirely when any installed plugin harbors a stored XSS vulnerability in its notice output. Notice Tracker faithfully captures that malicious payload, persists it in the database, retrieves it via `ajax_get_notices`, and renders it through the JavaScript popup using jQuery's `.html()` method—all without sanitization.
The CVSS 3.5 rating classifies severity as Low in isolation, but the amplification architecture introduces compounding risk. If a single plugin on a WordPress site contains a stored XSS that manifests in an admin notice, any user with access to the affected dashboard screens becomes a potential target. An attacker need not compromise Notice Tracker itself—only any one of the dozens or hundreds of other plugins present on a typical WordPress installation. The plugin then acts as an unwitting distribution layer, converting an isolated vulnerability into a site-wide attack surface. Mitigation requires escaping the `echo` statement in `class-notice-capture.php` and replacing jQuery's `.html()` with `.text()` in `popup.js` when rendering the AJAX response.