A high-severity vulnerability has been discovered in the NotificationX WordPress plugin, which could allow an attacker to take control of a vulnerable website. By tricking a logged-in user into interacting with a malicious link or form, an attacker can execute unauthorized code in the user's browser, potentially leading to session hijacking, data theft, and full site compromise. Immediate patching is required to mitigate this significant security risk.

This is a DOM-Based Cross-Site Scripting (XSS) vulnerability. The plugin fails to properly sanitize user-supplied input within the 'nx-preview' POST parameter. An attacker can craft a malicious request containing arbitrary JavaScript code. If a logged-in user (typically an administrator or editor with access to the preview functionality) is tricked into submitting this crafted request, the malicious script is injected into the page's DOM and executed by the victim's browser, in the context of their authenticated session.

This vulnerability is rated as High severity with a CVSS score of 7.2. Successful exploitation could have a significant negative impact on the business. An attacker could leverage this flaw to steal the session cookies of a privileged user, such as an administrator, allowing them to impersonate that user and gain complete control over the WordPress website. Potential consequences include website defacement, theft of sensitive customer or business data, installation of backdoors, and redirection of website visitors to malicious sites, leading to reputational damage and potential financial loss.

Immediate Action:

• Immediately update the "NotificationX" plugin to the latest version provided by the vendor, which contains a patch for this vulnerability.
• If the plugin is not essential for business operations, consider deactivating and removing it entirely to reduce the overall attack surface of the website.

Proactive Monitoring:

• Monitor web server and WAF (Web Application Firewall) logs for unusual POST requests to WordPress admin pages, specifically looking for malicious payloads or script tags within the 'nx-preview' parameter.
• Implement file integrity monitoring to detect any unauthorized changes to WordPress core files, themes, or plugins, which could indicate a successful compromise.

Compensating Controls:

• If immediate patching is not feasible, deploy a properly configured WAF with rulesets designed to detect and block XSS attack patterns in POST requests.
• Enforce strong security hygiene for all privileged WordPress accounts, including the use of multi-factor authentication (MFA), to make session hijacking more difficult.
• Restrict access to the WordPress administrative dashboard (/wp-admin/) to trusted IP addresses only.

Public Exploit Available: false

Given the high severity rating (CVSS 7.2) and the potential for a complete website takeover, we strongly recommend that organizations using the affected NotificationX plugin prioritize applying the security update immediately. Although this CVE is not currently on the CISA KEV list, the risk of session hijacking against an administrative account is critical. The primary remediation is to patch; however, implementing compensating controls like a WAF will provide a crucial defense-in-depth security posture against this and other web application attacks.