NotificationX < 2.3.9 - Unauthenticated Blind SQL Injection
CVE-2022-0349

9.8CRITICAL

Key Information:

Vendor: Wordpress
Status: Notificationx – Best Fomo, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor
Vendor: CVE Published:; 7 March 2022

Summary

The NotificationX WordPress plugin before 2.3.9 does not sanitise and escape the nx_id parameter before using it in a SQL statement, leading to an Unauthenticated Blind SQL Injection

Affected Version(s)

NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor 2.3.9

References

https://wpscan.com/vulnerability/1d0dd7be-29f3-4043-a9c6-...

x_refsource_MISC

EPSS Score

67% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 7, 2022
Vulnerability Reserved
Jan 24, 2022

Credit

Krzysztof Zając