[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fD35GonAhzdE_BeLwp_KUMr8hzZR8uB77NNYNQ1xWgko":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-27042","notificationx-fomo-live-sales-notification-woocommerce-sales-popup-gdpr-social-proof-announcement-banner-floating-notifi","NotificationX – FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar \u003C= 3.2.1 - Missing Authorization","The NotificationX – FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.2.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.","notificationx",null,"\u003C=3.2.1","3.2.2","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-01-15 00:00:00","2026-05-04 15:50:19",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fc09318f1-04b2-44e5-a184-c07942ae5778?source=api-prod",110,[22,23,24,25,26,27,28,29],"README.txt","assets\u002Fadmin\u002Fcss\u002Fadmin.css","assets\u002Fadmin\u002Fcss\u002Fwpdeveloper-review-notice.css","assets\u002Fadmin\u002Fjs\u002Fadmin.asset.php","assets\u002Fadmin\u002Fjs\u002Fadmin.js","assets\u002Fadmin\u002Fjs\u002Femoji-mart.js","assets\u002Fpublic\u002Fjs\u002FcrossSite.js","assets\u002Fpublic\u002Fjs\u002Ffrontend.js","researched",false,3,"This research plan outlines the technical steps required to exploit a missing authorization vulnerability in **NotificationX** (\u003C= 3.2.1).\n\n## 1. Vulnerability Summary\nThe **NotificationX** plugin for WordPress is vulnerable to **Missing Authorization** in its AJAX handlers. Specifically, the `nx_handle_quick_builder` action (and potentially others like `nx_get_objects`) is registered with both `wp_ajax_` and `wp_ajax_nopriv_` hooks, but the corresponding callback function fails to perform a `current_user_can()` check (e.g., for `manage_options`). \n\nThis allows unauthenticated attackers to create, modify, or delete \"notifications\" (custom post type `notificationx`), which are used to display FOMO alerts (sales, reviews, etc.) on the site.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `nx_handle_quick_builder`\n- **Vulnerability Type**: Missing Capability Check \u002F Missing Authorization\n- **Authentication**: None (Unauthenticated)\n- **Preconditions**: The plugin must be active. \n- **Parameter**: `data` (a URL-encoded string containing notification properties) and `nonce` (if required).\n\n## 3. Code Flow (Inferred)\n1. The plugin registers the action: \n   `add_action( 'wp_ajax_nopriv_nx_handle_quick_builder', 'nx_handle_quick_builder_callback' )`\n2. The `nx_handle_quick_builder_callback` function is called.\n3. It retrieves the `$_POST['data']` parameter and processes it using `parse_str()`.\n4. It calls `wp_insert_post()` or a similar wrapper to save the data to the `notificationx` custom post type.\n5. **Crucially**, it lacks a check like `if ( ! current_user_can( 'manage_options' ) ) wp_die();`.\n\n## 4. Nonce Acquisition Strategy\nWhile the vulnerability is \"Missing Authorization,\" the plugin may still check for a WordPress nonce. In NotificationX, nonces for the \"Quick Builder\" or frontend features are often localized for the frontend to support dynamic loading.\n\n**Strategy:**\n1. **Identify Script Loading**: The plugin enqueues scripts when a NotificationX notification is active or when the `[notificationx]` shortcode is present.\n2. **Setup Test Page**: Create a public page containing the shortcode.\n   ```bash\n   wp post create --post_type=page --post_status=publish --post_title=\"Nonce Page\" --post_content=\"[notificationx]\"\n   ```\n3. **Extract Nonce**: Navigate to this page and use `browser_eval` to extract the nonce from the localized JavaScript objects.\n   - Target Object: `window.notificationx_public` or `window.nx_localize`.\n   - Nonce Key: `nonce` or `nx_quick_builder_nonce`.\n   ```javascript\n   \u002F\u002F Execution agent should try:\n   browser_eval(\"window.notificationx_public?.nonce || window.nx_localize?.nonce\")\n   ```\n\n## 5. Exploitation Strategy\nThe goal is to create a new \"Sales Notification\" unauthenticated.\n\n### HTTP Request (PoC)\n- **Method**: `POST`\n- **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body Parameters**:\n    - `action`: `nx_handle_quick_builder`\n    - `nonce`: `[EXTRACTED_NONCE]`\n    - `data`: A URL-encoded string representing the notification details.\n        - `nx_notification_title`: `Vulnerable Notification`\n        - `nx_source_type`: `sales`\n        - `nx_notification_type`: `woo`\n        - `nx_builder_step`: `4` (Finalizing step in the builder)\n        - `nx_notification_status`: `publish`\n\n**Example","gemini-3-flash-preview","2026-05-05 09:21:01","2026-05-05 09:22:01",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","3.2.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnotificationx\u002Ftags\u002F3.2.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fnotificationx.3.2.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnotificationx\u002Ftags\u002F3.2.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fnotificationx.3.2.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnotificationx\u002Ftags"]