NotificationX < 3.2.1 – Missing Authorization to Authenticated (Contributor+) Analytics Reset | CVE 2026-0554 | Plugin Vulnerabilities

Description

The NotificationX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'regenerate' and 'reset' REST API endpoints in all versions up to, and including, 3.1.11. This makes it possible for authenticated attackers, with Contributor-level access and above, to reset analytics for any NotificationX campaign, regardless of ownership.

Affects Plugins

Fixed in 3.2.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/e3cd843b-ab38-45c4-a661-78d4e6db5201

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Verified

No

WPVDB ID

2a6bba5a-9c5b-491b-a478-b58a4f0a2ce6

Timeline

Publicly Published

2026-01-20 (about 2 months ago)

Added

2026-01-20 (about 2 months ago)

Last Updated

2026-01-20 (about 2 months ago)

Other

Published

Title

Published

2025-09-26

Title

Frames <= 1.5.7 - Missing Authorization

Published

2024-04-08

Title

5 star review funnel for Google Reviews, Trustpilot, ProvenExpert and more | RRatingg < 1.3.02 - Missing Authorization

Published

2025-11-03

Title

CE21 Suite 2.2.1 - 2.3.1 - Unauthenticated Privilege Escalation via Plugin Settings Update

Published

2024-12-12

Title

Termin-Kalender < 1.00.04 - Missing Authorization to Authenticated (Subscriber+)

Published

2025-05-16

Title

Acerola <= 1.6.5 - Missing Authorization