NotificationX Vulnerability- Unauthenticated SQL Injection – CVE-2024-1698 | WordPress Plugin Vulnerability Report

Plugin Name: NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor

Key Information:

  • Software Type: Plugin
  • Software Slug: notificationx
  • Software Status: Active
  • Software Author: wpdevteam
  • Software Downloads: 1,002,386
  • Active Installs: 30,000
  • Last Updated: February 27, 2024
  • Patched Versions: 2.8.3
  • Affected Versions: <= 2.8.2

Vulnerability Details:

  • Name: NotificationX <= 2.8.2
  • Title: Unauthenticated SQL Injection
  • Type: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE: CVE-2024-1698
  • CVSS Score: 9.8
  • Publicly Published: February 26, 2024
  • Researcher: Krzysztof Zając - CERT PL
  • Description: The NotificationX plugin for WordPress is at risk due to an SQL Injection vulnerability present in all versions up to and including 2.8.2. This issue stems from insufficient input validation and sanitization on the 'type' parameter, allowing unauthenticated attackers to manipulate SQL queries to access or alter database contents potentially.

Summary:

NotificationX, a popular plugin for creating FOMO, social proof, and sales notifications, faces a critical security risk due to an unauthenticated SQL Injection vulnerability in versions up to 2.8.2. This flaw could enable attackers to execute arbitrary SQL commands, leading to unauthorized data access or manipulation. The issue has been addressed in the newly released patch, version 2.8.3.

Detailed Overview:

Discovered by Krzysztof Zając from CERT PL, this vulnerability exposes websites to significant risks by allowing attackers to execute SQL queries without authentication. The vulnerability's high CVSS score of 9.8 reflects the severity of potential impacts, including data breaches and database corruption. Updating to version 2.8.3 is essential to mitigate these risks, as it incorporates necessary input validation and query sanitization measures.

Advice for Users:

  • Immediate Action: Update the NotificationX plugin to version 2.8.3 without delay to secure your WordPress site against this vulnerability.
  • Check for Signs of Vulnerability: Monitor your website's database for any unusual activities or unauthorized access attempts, which could indicate exploitation of this vulnerability.
  • Alternate Plugins: While the updated version is secure, exploring other reputable plugins offering similar functionality might be considered, ensuring they have a strong security track record.
  • Stay Updated: Regularly updating all WordPress components is crucial for security. Enable automatic updates where possible and periodically review installed plugins and themes for new updates or security advisories.

Conclusion:

The resolution of CVE-2024-1698 in the NotificationX plugin underscores the critical importance of maintaining updated and secure software within the WordPress ecosystem. For website administrators and small business owners, this incident highlights the need for continuous vigilance and adherence to best security practices, including regular updates, to protect against emerging threats and vulnerabilities.

References:

 

In the ever-evolving landscape of website management, maintaining the security of WordPress plugins is paramount. A recent discovery of a critical vulnerability in the NotificationX plugin by ThemeIsle, known for enhancing websites with FOMO, social proof, and sales notifications, underscores the perpetual challenge of safeguarding digital assets. This vulnerability, identified as CVE-2024-1698, exposes websites to unauthenticated SQL Injection attacks, posing a substantial threat to data integrity and site security.

Plugin Overview:

NotificationX stands out in the WordPress ecosystem with its robust download count of over 1 million and active installation on 30,000 sites. It is developed by wpdevteam and is renowned for its ability to dynamically display user engagement metrics. Despite its widespread use and utility, the plugin was found to be susceptible in versions up to and including 2.8.2, with a patched version 2.8.3 recently released to address the flaw.

Vulnerability Insights:

The core of the vulnerability lies in the plugin's insufficient input sanitization and output escaping within the 'type' parameter, as uncovered by researcher Krzysztof Zając from CERT PL. This oversight allows attackers to manipulate SQL queries without authentication, potentially leading to unauthorized data access or manipulation. With a CVSS score of 9.8, the severity of this vulnerability is evident, highlighting the risks of data breaches, database corruption, and compromised site integrity.

Mitigation and User Guidance:

To counteract this vulnerability, users are urged to immediately update their NotificationX plugin to version 2.8.3. This version introduces the necessary measures to prevent SQL injection, safeguarding the plugin against potential exploits. Website administrators are also advised to monitor their databases for unusual activities that may indicate unauthorized access attempts, as well as to consider alternative plugins that prioritize security and receive regular updates.

Historical Context:

This is not the first time NotificationX has encountered security issues; there have been three previous vulnerabilities reported since September 2020. Each incident serves as a reminder of the dynamic nature of cybersecurity threats and the need for continuous vigilance.

Concluding Thoughts:

The recent vulnerability in NotificationX underscores the critical importance of regular updates and proactive security measures in the WordPress ecosystem. For small business owners, who often juggle numerous responsibilities, this incident highlights the necessity of leveraging tools for automatic updates, staying informed about potential vulnerabilities, and conducting regular security audits. In a digital age where threats constantly evolve, the security of a WordPress site is not just about responding to incidents but anticipating and mitigating risks before they can impact the business.

Ensuring the security of WordPress plugins like NotificationX is not just a technical necessity but a business imperative. Staying ahead of vulnerabilities and adopting a proactive security posture is essential for maintaining the trust of users and protecting the digital presence that small businesses rely on.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

NotificationX Vulnerability- Unauthenticated SQL Injection – CVE-2024-1698 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment