S4E

CVE-2024-1698 Scanner

Detects 'SQL Injection' vulnerability in NotificationX affects v. <= 2.8.2.

Short Info


Level

Critical

Single Scan

Single Scan

Can be used by

Asset Owner

Estimated Time

10 seconds

Time Interval

4 weeks

Scan only one

Domain, IPv4

Toolbox

-

NotificationX is a WordPress plugin designed to enhance user engagement by providing various notification features such as FOMO, Social Proof, WooCommerce Sales Popup, and Notification Bar. It is utilized by website owners and administrators to display notifications and alerts to site visitors, thereby increasing conversion rates and user interaction on WordPress-based websites.

The detected vulnerability in NotificationX is a SQL Injection flaw present in versions up to and including 2.8.2. This vulnerability arises due to insufficient input validation and inadequate preparation of SQL queries, allowing unauthenticated attackers to inject malicious SQL code via the 'type' parameter. Exploiting this vulnerability enables attackers to manipulate SQL queries and potentially extract sensitive information from the database.

The vulnerability is exploited by sending a crafted HTTP POST request to the '/wp-json/notificationx/v1/analytics' endpoint of the WordPress site hosting the NotificationX plugin. The malicious payload is included in the 'type' parameter of the JSON payload, allowing attackers to inject SQL code such as boolean-based blind SQL injection payloads. Successful exploitation results in the execution of arbitrary SQL queries against the WordPress site's database, potentially leading to data leakage or data manipulation.

Exploiting the SQL Injection vulnerability in NotificationX can have severe consequences, including unauthorized access to sensitive data stored in the WordPress site's database, disclosure of personally identifiable information (PII), compromise of user credentials, and potential data loss or corruption. Attackers can leverage the injected SQL queries to extract, modify, or delete sensitive information, undermining the confidentiality, integrity, and availability of the affected WordPress site.

Protect your WordPress site from the risks posed by the SQL Injection vulnerability in NotificationX by utilizing the comprehensive security scanning capabilities of the S4E platform. Join our platform to identify and remediate critical vulnerabilities like CVE-2024-1698, ensuring the security and integrity of your WordPress-based web applications and safeguarding your sensitive data from unauthorized access and exploitation.

 

References

Get started to protecting your Free Full Security Scan