WordPress Plugin Vulnerabilities

NotificationX < 3.2.1 - Unauthenticated DOM-Based Cross-Site Scripting via 'nx-preview'

Description

The NotificationX – FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via the 'nx-preview' POST parameter in all versions up to, and including, 3.2.0. This is due to insufficient input sanitization and output escaping when processing preview data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute when a user visits a malicious page that auto-submits a form to the vulnerable site.

Affects Plugins

Plugin icon
notificationx
Fixed in 3.2.1

References

CVE
CVE-2025-15380
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/9ca12315-380b-4251-b637-4e9d29df35e0

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.2 (high)

Miscellaneous

Original Researcher
Dmitrii Ignatyev
Verified
No
WPVDB ID
033fb14e-8705-4afc-bd72-0e9c112a7ed3

Timeline

Publicly Published
2026-01-20 (about 5 months ago)
Added
2026-01-20 (about 5 months ago)
Last Updated
2026-01-20 (about 5 months ago)

Other

Published
Title
Published
2026-01-27
Title
Appointment Hour Booking – Booking Calendar < 1.5.61 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Min/Max Length' Field Configuration
Published
2024-12-05
Title
Flixita < 1.0.83 - Reflected Cross-Site Scripting via id Parameter
Published
2026-02-26
Title
Elfsight WhatsApp Chat CC <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-10-11
Title
Rescue Shortcodes < 2.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2025-04-10
Title
Product Excel Import Export & Bulk Edit for WooCommerce <= 4.7 - Reflected Cross-Site Scripting