NotificationX Vulnerability- Unauthenticated SQL Injection – CVE-2024-1698 | WordPress Plugin Vulnerability Report
Plugin Name: NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor
Key Information:
- Software Type: Plugin
- Software Slug: notificationx
- Software Status: Active
- Software Author: wpdevteam
- Software Downloads: 1,002,386
- Active Installs: 30,000
- Last Updated: February 27, 2024
- Patched Versions: 2.8.3
- Affected Versions: <= 2.8.2
Vulnerability Details:
- Name: NotificationX <= 2.8.2
- Title: Unauthenticated SQL Injection
- Type: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CVE: CVE-2024-1698
- CVSS Score: 9.8
- Publicly Published: February 26, 2024
- Researcher: Krzysztof Zając - CERT PL
- Description: The NotificationX plugin for WordPress is at risk due to an SQL Injection vulnerability present in all versions up to and including 2.8.2. This issue stems from insufficient input validation and sanitization on the 'type' parameter, allowing unauthenticated attackers to manipulate SQL queries to access or alter database contents potentially.
Summary:
NotificationX, a popular plugin for creating FOMO, social proof, and sales notifications, faces a critical security risk due to an unauthenticated SQL Injection vulnerability in versions up to 2.8.2. This flaw could enable attackers to execute arbitrary SQL commands, leading to unauthorized data access or manipulation. The issue has been addressed in the newly released patch, version 2.8.3.
Detailed Overview:
Discovered by Krzysztof Zając from CERT PL, this vulnerability exposes websites to significant risks by allowing attackers to execute SQL queries without authentication. The vulnerability's high CVSS score of 9.8 reflects the severity of potential impacts, including data breaches and database corruption. Updating to version 2.8.3 is essential to mitigate these risks, as it incorporates necessary input validation and query sanitization measures.
Advice for Users:
- Immediate Action: Update the NotificationX plugin to version 2.8.3 without delay to secure your WordPress site against this vulnerability.
- Check for Signs of Vulnerability: Monitor your website's database for any unusual activities or unauthorized access attempts, which could indicate exploitation of this vulnerability.
- Alternate Plugins: While the updated version is secure, exploring other reputable plugins offering similar functionality might be considered, ensuring they have a strong security track record.
- Stay Updated: Regularly updating all WordPress components is crucial for security. Enable automatic updates where possible and periodically review installed plugins and themes for new updates or security advisories.
Conclusion:
The resolution of CVE-2024-1698 in the NotificationX plugin underscores the critical importance of maintaining updated and secure software within the WordPress ecosystem. For website administrators and small business owners, this incident highlights the need for continuous vigilance and adherence to best security practices, including regular updates, to protect against emerging threats and vulnerabilities.