Wordfence has disclosed two security vulnerabilities in the NotificationX plugin, which is widely used on WordPress and WooCommerce sites. The issues affect more than 40,000 installations and involve a DOM-based cross-site scripting flaw and an unauthorized analytics reset weakness.
Key details: NotificationX WordPress plugin vulnerabilities
According to Wordfence threat intelligence, the primary issue is an unauthenticated DOM-based cross-site scripting (XSS) vulnerability in NotificationX, affecting versions up to and including 3.2.0. Wordfence rates the flaw 7.2 High on the CVSS scale in its official Wordfence advisory.
Key technical details include:
- Attackers do not need a WordPress account or any prior access to the affected site.
- Exploitation uses the
nx-previewPOST parameter, which processes preview data without sufficient sanitization or output escaping. - A malicious page can auto-submit a crafted form to the vulnerable site, executing injected JavaScript in the visitor's browser.
- Wordfence reports more than 40,000 active installations of NotificationX at the time of disclosure.
- The vendor has released NotificationX version 3.2.1, which includes a fix for this cross-site scripting issue.
Wordfence states that successful exploitation allows execution of arbitrary JavaScript in the context of the affected website. The script runs when a user visits a malicious page that triggers the auto-submitted form toward the vulnerable installation, and the behavior occurs entirely within the victim's browser session.
According to the advisory, attackers could steal authenticated sessions, perform actions as logged-in users, redirect visitors to external domains, or access sensitive data that is available in the browser at the time of the attack.
Background and additional NotificationX issue
NotificationX is a WordPress plugin that displays sales notifications, announcement banners, popups, and other promotional alerts. Site owners often deploy it on marketing and online retail properties to highlight recent activity and campaigns.
The plugin includes analytics features that track impressions and conversions for each notification campaign. These analytics features rely on REST API endpoints that manage campaign statistics and regeneration workflows.
Wordfence has also documented a separate vulnerability affecting NotificationX versions up to and including 3.1.11. In this second issue, described in a Wordfence advisor, the flaw is rated 4.3 Medium and stems from missing authorization checks on specific analytics-related REST API endpoints.
According to Wordfence, the affected endpoints are named regenerate and reset and lack adequate permission validation. Authenticated users with Contributor-level access or higher can call these endpoints and reset analytics for any campaign, regardless of whether they created or own the targeted notification campaign.
Wordfence notes that NotificationX version 3.2.1 resolves both the DOM-based cross-site scripting flaw and the analytics reset issue. The vendor has released this update through the official WordPress plugin repository, and site owners using NotificationX can address both vulnerabilities by updating to version 3.2.1 or later.
Source citations
All vulnerability information and version details in this report originate from official security and plugin documentation.
- Wordfence advisory on the NotificationX DOM-based cross-site scripting vulnerability.
- Wordfence advisor on the NotificationX analytics reset authorization issue.
- NotificationX plugin page on WordPress.org.
.svg)
.svg)
.svg)