CVE-2024-1698 Scanner
Detects 'SQL Injection' vulnerability in NotificationX affects v. <= 2.8.2.
Short Info
Level
Critical
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 sec
Scan only one
Domain, Ipv4
Toolbox
-
NotificationX is a WordPress plugin designed to enhance user engagement by providing various notification features such as FOMO, Social Proof, WooCommerce Sales Popup, and Notification Bar. It is utilized by website owners and administrators to display notifications and alerts to site visitors, thereby increasing conversion rates and user interaction on WordPress-based websites.
The detected vulnerability in NotificationX is a SQL Injection flaw present in versions up to and including 2.8.2. This vulnerability arises due to insufficient input validation and inadequate preparation of SQL queries, allowing unauthenticated attackers to inject malicious SQL code via the 'type' parameter. Exploiting this vulnerability enables attackers to manipulate SQL queries and potentially extract sensitive information from the database.
The vulnerability is exploited by sending a crafted HTTP POST request to the '/wp-json/notificationx/v1/analytics' endpoint of the WordPress site hosting the NotificationX plugin. The malicious payload is included in the 'type' parameter of the JSON payload, allowing attackers to inject SQL code such as boolean-based blind SQL injection payloads. Successful exploitation results in the execution of arbitrary SQL queries against the WordPress site's database, potentially leading to data leakage or data manipulation.
Exploiting the SQL Injection vulnerability in NotificationX can have severe consequences, including unauthorized access to sensitive data stored in the WordPress site's database, disclosure of personally identifiable information (PII), compromise of user credentials, and potential data loss or corruption. Attackers can leverage the injected SQL queries to extract, modify, or delete sensitive information, undermining the confidentiality, integrity, and availability of the affected WordPress site.
Protect your WordPress site from the risks posed by the SQL Injection vulnerability in NotificationX by utilizing the comprehensive security scanning capabilities of the securityforeveryone platform. Join our platform to identify and remediate critical vulnerabilities like CVE-2024-1698, ensuring the security and integrity of your WordPress-based web applications and safeguarding your sensitive data from unauthorized access and exploitation.
References
- https://plugins.trac.wordpress.org/changeset/3040809/notificationx/trunk/includes/Core/Database.php
- https://plugins.trac.wordpress.org/changeset/3040809/notificationx/trunk/includes/Core/Rest/Analytics.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e110ea99-e2fa-4558-bcf3-942a35af0b91?source=cve
- https://github.com/fkie-cad/nvd-json-data-feeds
- https://nvd.nist.gov/vuln/detail/CVE-2024-1698
control security posture