Notificationx
Monthly
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote attackers to append arbitrary SQL queries via the 'type' parameter and exfiltrate sensitive database contents. Publicly available exploit code exists and the EPSS score of 93.74% (100th percentile) indicates very high probability of exploitation attempts in the wild, though the CVE is not currently listed in CISA KEV.
The NotificationX plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.8.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The NotificationX WordPress plugin before 2.3.9 does not sanitise and escape the nx_id parameter before using it in a SQL statement, leading to an Unauthenticated Blind SQL Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote attackers to append arbitrary SQL queries via the 'type' parameter and exfiltrate sensitive database contents. Publicly available exploit code exists and the EPSS score of 93.74% (100th percentile) indicates very high probability of exploitation attempts in the wild, though the CVE is not currently listed in CISA KEV.
The NotificationX plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.8.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The NotificationX WordPress plugin before 2.3.9 does not sanitise and escape the nx_id parameter before using it in a SQL statement, leading to an Unauthenticated Blind SQL Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.