SQL Injection Vulnerability in NotificationX Plugin Affects Sensitive Data
CVE-2024-1698

9.8CRITICAL

Key Information:

Vendor: Wordpress
Status: Notificationx – Best Fomo, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor
Vendor: CVE Published:; 27 February 2024

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 92%

Summary

The NotificationX Plugin for WordPress, which focuses on enhancing user experience through sales popups and notifications, is vulnerable to SQL Injection attacks. This vulnerability exists through the 'type' parameter due to inadequate escaping of user-supplied input and insufficient preparation of the corresponding SQL query. Attackers without authentication can exploit this flaw to insert malicious SQL queries, allowing them to extract sensitive information from the plugin's database. This poses significant risks to data integrity and user privacy, necessitating immediate attention and remediation by users of the affected versions.

Affected Version(s)

NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor * <= 2.8.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-1698-Exploit
Created by kamranhasan

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3040809/noti...

EPSS Score

92% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Mar 29, 2024
👾
Exploit known to exist
Mar 29, 2024
Vulnerability published
Feb 27, 2024
Vulnerability Reserved
Feb 21, 2024

Credit

Krzysztof Zając