NotificationX WordPress WooCommerce Plugin Vulnerabilities Impact 40k Sites

An advisory has been issued regarding a significant vulnerability in the NotificationX plugin for WordPress and WooCommerce sites. This vulnerability affects over 40,000 websites and poses a serious security risk to site owners and their visitors.

Overview of the Vulnerability

The vulnerability in question is rated at a severity level of 7.2, categorized as high. It allows unauthenticated attackers to inject malicious JavaScript into the browsers of unsuspecting visitors under certain conditions. This can lead to a variety of harmful outcomes, including data theft and unauthorized actions performed on behalf of users.

What is NotificationX?

NotificationX is a popular FOMO (Fear of Missing Out) plugin used by WordPress and WooCommerce site owners. It enables the display of notification bars, popups, and real-time alerts, such as recent sales, announcements, and promotional messages. The plugin is particularly favored by marketers and e-commerce sites to create urgency and attract visitor attention through notifications.

Exposure Level of the Vulnerability

The critical aspect of this vulnerability is that it does not require any form of authentication or user role for an attacker to exploit it. This means that attackers do not need a WordPress account or any prior access to the site to launch an attack. The exploitation relies on tricking a victim into visiting a specially crafted page that interacts with the vulnerable site.

Root Cause of the Vulnerability

The vulnerability stems from a DOM-based Cross-Site Scripting (XSS) issue related to how the NotificationX plugin processes preview data. In this context, a DOM-based XSS vulnerability occurs when a plugin contains client-side JavaScript that processes data from an untrusted source unsafely. Specifically, the NotificationX plugin accepts input through the nx-preview POST parameter but fails to properly sanitize the input or escape the output before rendering it in the browser.

This lack of security checks allows an attacker to create a malicious web page that automatically submits a form to the victim’s site, causing the victim’s browser to execute harmful scripts injected via that parameter. Consequently, an attacker-controlled input can be interpreted as executable JavaScript instead of harmless preview content.

Potential Consequences of Exploitation

If exploited, this vulnerability can enable attackers to execute arbitrary JavaScript in the context of the affected site. This can lead to several malicious outcomes, including:

Hijacking logged-in administrator or editor sessions.
Performing actions on behalf of authenticated users.
Redirecting visitors to malicious or fraudulent websites.
Accessing sensitive information available through the browser.

Official Advisory

The official advisory from Wordfence states: “The NotificationX – FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via the ‘nx-preview’ POST parameter in all versions up to and including 3.2.0. This is due to insufficient input sanitization and output escaping when processing preview data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute when a user visits a malicious page that auto-submits a form to the vulnerable site.”

Affected Versions

All versions of NotificationX up to and including 3.2.0 are vulnerable. A patch has been released to address this issue in NotificationX version 3.2.1, which includes necessary security enhancements.

Recommended Actions for Site Owners

Site owners who are using the NotificationX plugin are strongly advised to update their plugin immediately to version 3.2.1 or later. For those who cannot update right away, it is recommended to disable the plugin until the patched version can be applied. Keeping vulnerable versions active exposes both visitors and logged-in users to client-side attacks that can be challenging to detect and mitigate.

Additional Vulnerability

In addition to the high-severity vulnerability, the NotificationX plugin has another vulnerability rated at a medium threat level of 4.3. This further highlights the importance of maintaining updated and secure plugins to protect against potential threats.

Frequently Asked Questions

What should I do if I am using NotificationX?

If you are using NotificationX, it is crucial to update your plugin to version 3.2.1 or later immediately. If you cannot update, consider disabling the plugin until you can apply the patch.

How can I tell if my site is vulnerable?

You can determine if your site is vulnerable by checking the version of the NotificationX plugin you are using. If it is version 3.2.0 or earlier, your site is at risk.

What are the risks of not updating the plugin?

Not updating the plugin can expose your site to various security risks, including data theft, unauthorized actions performed by attackers, and potential redirection of users to malicious sites.

Note: It is essential to regularly monitor and update all plugins to ensure the security and integrity of your WordPress site.

Article Source

Disclaimer: eDevelop provides blog and information for general awareness purposes only. While we strive for accuracy, we do not guarantee the completeness or reliability of any content. Opinions expressed are those of the authors and not necessarily of eDevelop. We are not liable for any actions taken based on the information published. Content may be updated or changed without prior notice.