NotificationX WordPress Plugin
CVE-2024-1698
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
The NotificationX - Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor plugin for WordPress is vulnerable to SQL Injection via the 'type' parameter in all versions up to, and including, 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
AnalysisAI
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote attackers to append arbitrary SQL queries via the 'type' parameter and exfiltrate sensitive database contents. Publicly available exploit code exists and the EPSS score of 93.74% (100th percentile) indicates very high probability of exploitation attempts in the wild, though the CVE is not currently listed in CISA KEV.
Technical ContextAI
The vulnerability resides in wpdeveloper's NotificationX plugin (CPE cpe:2.3:a:wpdeveloper:notificationx), a popular social-proof and FOMO notification plugin for WordPress with Elementor integration. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command): the 'type' parameter received from user input is concatenated into a SQL query without sufficient escaping and without the use of prepared statements (e.g., WordPress's $wpdb->prepare()). This permits stacked or UNION-based SQL injection against the underlying MySQL/MariaDB database that backs the WordPress installation.
RemediationAI
Patch available per vendor advisory - upgrade the NotificationX plugin to the latest fixed release available from the WordPress.org plugin repository (versions after 2.8.2); the exact fixed version should be confirmed against the Wordfence advisory and the plugin changelog before deployment. If immediate patching is not possible, deactivate and remove the NotificationX plugin (which will disable social-proof notifications site-wide), or place the WordPress site behind a WAF with rules that block SQL metacharacters and UNION/SELECT patterns in requests targeting NotificationX endpoints - be aware that WAF rules can produce false positives against legitimate admin actions and are not a substitute for the patch. Restrict outbound database access from the web tier and review database audit logs for anomalous SELECT activity originating from the WordPress account during the exposure window.
More in Notificationx
View allThe NotificationX WordPress plugin before 2.3.9 does not sanitise and escape the nx_id parameter before using it in a SQ
The NotificationX plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.8
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today