DOM-Based Cross-Site Scripting in NotificationX Plugin for WordPress
CVE-2025-15380

7.2HIGH

Key Information:

Vendor: WordPress
Status: Notificationx – Fomo, Live Sales Notification, WooCommerce Sales Popup, Gdpr, Social Proof, Announcement Banner & Floating Notification Bar
Vendor: CVE Published:; 20 January 2026

What is CVE-2025-15380?

The NotificationX plugin for WordPress allows unauthenticated attackers to exploit a DOM-Based Cross-Site Scripting vulnerability. This occurs through the 'nx-preview' POST parameter, where the plugin fails to properly sanitize input and escape output while processing preview data. This inadequacy enables attackers to inject malicious web scripts into the application's pages. When a user visits a compromised page that auto-submits a form to the affected site, the injected scripts are executed, compromising the security of users' sessions and data.

Affected Version(s)

NotificationX – FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar 0 <= 3.2.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://research.cleantalk.org/cve-2025-15380/

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 20, 2026
Vulnerability Reserved
Dec 30, 2025

Credit

Dmitrii Ignatyev

CVE-2025-15380 Data

JSON