NotificationX WooCommerce Risk

A new security advisory has been released warning of a serious vulnerability affecting the NotificationX plugin used on WordPress and WooCommerce websites. The flaw impacts more than 40,000 sites and allows attackers to inject malicious scripts without needing to log in.

The vulnerability has been rated 7.2 (high severity) and enables unauthenticated attackers to run harmful JavaScript in a visitor’s browser under certain conditions. This type of attack can occur simply by tricking a user into visiting a specially crafted webpage.

What Is NotificationX?

NotificationX is a popular WordPress plugin designed to display pop-ups, banners, and real-time notifications. These include recent sales alerts, promotional messages, announcements, and other “social proof” features commonly used on e-commerce and marketing websites to increase engagement and conversions.

Because the plugin is widely installed and often active on high-traffic pages, any security weakness carries a heightened level of risk.

Why This Vulnerability Is Serious

One of the most concerning aspects of this issue is that no authentication is required to exploit it. Attackers do not need a user account, admin access, or prior interaction with the website.

Instead, exploitation relies on social engineering. A victim only needs to visit a malicious page that silently submits data to the affected site, triggering the vulnerability in the background.

Root Cause of the Issue

The flaw is classified as a DOM-based cross-site scripting (XSS) vulnerability, caused by improper handling of user-supplied data in the plugin’s preview functionality.

Specifically, the plugin processes input passed through the nx-preview POST parameter without properly sanitising or escaping it. This allows attacker-controlled input to be interpreted as executable JavaScript rather than harmless text.

Because the vulnerability exists in client-side JavaScript, the malicious code executes directly in the user’s browser once the page loads.

What Attackers Could Do

If exploited successfully, the vulnerability allows attackers to run arbitrary JavaScript in the context of the affected site. This can lead to several serious consequences, including:

Hijacking admin or editor sessions
Performing actions as logged-in users
Redirecting visitors to scam or malware sites
Accessing sensitive data available through the browser

According to Wordfence, the vulnerability affects all versions of NotificationX up to and including version 3.2.0.

Patch and Affected Versions

The issue has been fixed in NotificationX version 3.2.1, which introduces improved input validation and output handling. All earlier versions remain vulnerable.

Site owners who are unable to update immediately are advised to disable the plugin until the patched version can be installed. Leaving the flaw unaddressed exposes both visitors and administrators to client-side attacks that may be difficult to detect.

Additional Security Issue Identified

The advisory also highlights a separate, lower-severity vulnerability rated at 4.3 (medium risk). This second issue affects older versions of the plugin and involves missing permission checks on two REST API endpoints.

These endpoints allow logged-in users with contributor-level access or higher to reset or regenerate analytics for any NotificationX campaign, even if they do not own it.

While this flaw does not allow full site takeover, it could be abused to disrupt reporting data and campaign tracking.

Recommended Action

Updating NotificationX to version 3.2.1 or later resolves both vulnerabilities. Site owners are strongly encouraged to apply the update as soon as possible or disable the plugin until it can be patched.

Given the size of the affected install base and evidence of active scanning, delaying action increases the risk of exploitation.