Vulnerability in NotificationX FOMO Plugin for WordPress and WooCommerce Sites
The NotificationX FOMO plugin, used by over 40,000 websites, has a high-severity vulnerability that allows unauthenticated attackers to inject malicious JavaScript into a visitor’s browser. This vulnerability is rated at a 7.2 severity level and can be exploited without requiring any authentication or user role.
What is the NotificationX FOMO Plugin?
The NotificationX FOMO plugin is used by WordPress and WooCommerce site owners to display notification bars, popups, and real-time alerts such as recent sales, announcements, and promotional messages. The plugin is commonly deployed on marketing and e-commerce sites to create urgency and draw visitor attention through notifications.
Exposure Level
The vulnerability does not require any authentication or acquire any user role before launching an attack. Attackers do not need a WordPress account or any prior access to the site to trigger the vulnerability. Exploitation relies on getting a victim to visit a specially crafted page that interacts with the vulnerable site.
Root Cause of the Vulnerability
The issue is a DOM-based Cross-Site Scripting (XSS) vulnerability tied to how the plugin processes preview data. In the context of a WordPress plugin vulnerability, DOM-based Cross-Site Scripting (XSS) vulnerability happens when a WordPress plugin contains client-side JavaScript that processes data from an untrusted source in an unsafe way, usually by writing the data to the web page.
How the Vulnerability Works
The plugin’s scripts accept input through the nx-preview POST parameter, but do not properly sanitize the input or escape the output before it is rendered in the browser. Security checks that are supposed to check that user-supplied data is treated as plain text are missing. This allows an attacker to create a malicious web page that automatically submits a form to the victim’s site, forcing the victim’s browser to execute harmful scripts injected via that parameter.
What Attackers Can Do
If exploited, the vulnerability enables attackers to execute arbitrary JavaScript in the context of the affected site. The injected script executes when a user visits a malicious page that automatically submits a form to the vulnerable NotificationX site. This can allow attackers to:
- Hijack logged-in administrator or editor sessions
- Perform actions on behalf of authenticated users
- Redirect visitors to malicious or fraudulent websites
- Access sensitive information available through the browser
Affected Versions
All versions of NotificationX up to and including 3.2.0 are vulnerable. A patch is available, and the vulnerability was addressed in NotificationX version 3.2.1, which includes security enhancements related to this issue.
Another Vulnerability
There is another vulnerability in the NotificationX plugin, rated 4.3 medium threat level. This vulnerability allows authenticated attackers with Contributor-level access and above to reset analytics for any NotificationX campaign, regardless of ownership. An attacker can:
- Reset analytics for any NotificationX campaign
- Do this even if they did not create or own the campaign
- Repeatedly wipe or regenerate campaign statistics
Recommended Action
Site owners using NotificationX are recommended to update their plugin immediately to version 3.2.1 or later. Sites that cannot update should disable the plugin until the patched version can be applied. Leaving vulnerable versions active exposes visitors and logged-in users to client-side attacks that can be difficult to detect and mitigate.
Conclusion
The NotificationX FOMO plugin vulnerability is a serious issue that can be exploited by unauthenticated attackers to inject malicious JavaScript into a visitor’s browser. Site owners should take immediate action to update their plugin to the latest version to prevent potential attacks. It is essential to prioritize website security and keep all plugins and software up to date to protect against vulnerabilities and potential threats.