CVE-2024-11727

Vulnerability

NotificationX – Live Sales Notification, WooCommerce Sales Popup, FOMO, Social Proof, Announcement Banner & Floating Notification Top Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via its content settings for notifications in all versions up to, and including, 2.9.3 [1]. The vulnerability arises from insufficient input sanitization and output escaping in the plugin's Preview.php file [1]. The issue only affects multi-site installations and installations where unfiltered_html has been disabled [1].

Exploitation

An attacker must have administrator-level permissions (or higher) on a WordPress installation that either is a multi-site network or has the unfiltered_html capability disabled [1]. Once authenticated, the attacker can inject arbitrary web scripts into notification content settings; these scripts will be stored and later executed whenever a user (including lower-privileged users or visitors) accesses the page where the notification is rendered [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session [1]. This can lead to session hijacking, defacement, or redirection to malicious sites, effectively compromising the confidentiality, integrity, and availability of the affected WordPress site's frontend [1]. The injected script executes at the privilege level of the victim, which may be as low as an unauthenticated visitor [1].

Mitigation

The issue has been patched in version 2.9.4 of the NotificationX plugin [1]. Users should update to version 2.9.4 or later immediately [1]. For installations where upgrading is not immediately possible, administrators should restrict administrative access to trusted users only and ensure unfiltered_html is enabled if the site is not a multisite (but this may not fully mitigate the risk on multisite)[1]. There is no indication that this CVE is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of publication [1].