Attack Vectors

Product: User Notes (slug: user-notes)

Severity: Medium (CVSS 4.4; CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N)

CVE-2025-60136 affects the User Notes WordPress plugin in versions up to and including 1.0.2. The attack requires an authenticated user with Administrator-level access (or higher) who can add or modify content in the plugin in a way that results in a stored script being saved.

The risk is most relevant in multi-site environments and in installations where unfiltered_html has been disabled. In those setups, a malicious or compromised admin account can store a payload that will execute later when a user visits the affected page or view.

Security Weakness

This is a Stored Cross-Site Scripting (XSS) issue caused by insufficient input sanitization and output escaping. In practice, this means untrusted content can be saved and then rendered back to browsers in a way that allows arbitrary JavaScript to run.

Because it is stored, the malicious code can persist inside the site until removed, triggering repeatedly for any user who accesses the injected content. Official tracking: CVE-2025-60136.

Technical or Business Impacts

While this vulnerability requires admin-level permissions, it still represents meaningful business risk because admin accounts are high-value targets and are commonly impacted by phishing, credential reuse, or insider misuse. If an admin account is compromised, stored XSS can be used as a “second stage” to expand impact.

Potential impacts include:

Session and account abuse: injected scripts can run in a victim’s browser and may be used to interfere with sessions or user actions, depending on the affected page and permissions.

Brand and compliance risk: site visitors or internal users could be redirected, shown malicious content, or have data exposed in the browser context, creating reputational harm and potential compliance reporting questions—especially if the site is used for lead capture, customer portals, or internal workflows.

Operational disruption: incident response time, emergency change windows, and marketing-site downtime (or campaign pausing) are common business outcomes even when technical impact appears “medium.”

Remediation: update User Notes to version 1.0.3 or newer (patched). Source: Wordfence vulnerability advisory.

Similar Attacks

Stored XSS has a long history of being used to spread quickly and cause outsized business impact because the malicious code executes for every viewer of an infected page.

Samy (MySpace) worm — a stored XSS worm that rapidly self-propagated through user profiles, demonstrating how “stored” browser-executed code can scale impact.

2010 Twitter onMouseOver worm — another real-world example where a script-based payload spread through user interaction patterns, highlighting the reputational and operational fallout that can follow XSS incidents.