NotificationX <= 3.1.11 - Missing Authorization to Authenticated (Contributor+) Analytics Reset

This research plan targets CVE-2026-0554, a missing authorization vulnerability in the NotificationX plugin. This flaw allows users with Contributor-level roles and above to reset or regenerate analytics for any notification campaign via the WordPress REST API.

---

1. Vulnerability Summary

• Vulnerability: Missing Authorization (IDOR-like behavior in REST API).
• Affected Plugin: NotificationX (slug: notificationx).
• Affected Versions: <= 3.1.11.
• Vulnerable Endpoints: REST API routes used for regenerating and resetting analytics.
• Impact: An attacker with Contributor privileges can delete or reset performance metrics (views, clicks, conversions) for any campaign, potentially disrupting business reporting or marketing analytics.

2. Attack Vector Analysis

• Endpoint: /wp-json/notificationx/v1/analytics/reset and /wp-json/notificationx/v1/analytics/regenerate (inferred from description).
• Method: POST.
• Authentication: Authenticated (Contributor+).
• Payload Parameter: id (The ID of the NotificationX campaign, which is a custom post type nx_notifications).
• Vulnerability Root: The permission_callback for these REST routes likely uses a check such as current_user_can('edit_posts') (which Contributors have) instead of checking for administrative privileges or specific ownership of the notification campaign.

3. Code Flow (Inferred)

1. Route Registration: The plugin uses the rest_api_init hook to register routes.
   • File: includes/Classes/Rest_API.php or similar (inferred).
   • Function: register_rest_route('notificationx/v1', '/analytics/reset', ...) (inferred).
2. Authorization Check: The permission_callback likely returns true for any user who can edit_posts.
3. Action Execution: The callback function takes the id from the request and clears the database entries in the analytics table associated with that ID.

4. Nonce Acquisition Strategy

REST API requests for authenticated users require a standard WordPress REST nonce (wp_rest).

1. Login: Authenticate as a Contributor user.
2. Access Dashboard: Navigate to wp-admin/index.php.
3. Extract Nonce: The wp_rest nonce is typically localized in the wpApiSettings object.
   • Action: Use browser_eval to extract the nonce:

     window.wpApiSettings.nonce
     

4. Header: This nonce must be sent in the X-WP-Nonce HTTP header.

5. Test Data Setup

1. Install NotificationX: Ensure version <= 3.1.11 is installed.
2. Create Campaign: As an Administrator, create a new NotificationX campaign (e.g., a "Sales Notification").
   • Note the ID of this campaign (e.g., POST_ID).
3. Generate Analytics Data: Simulate/generate some views or clicks for this campaign so the analytics are non-zero.
   • Analytics data is usually stored in a custom table like wp_nx_analytics.
4. Create Attacker User: Create a user with the Contributor role.

6. Exploitation Strategy

The goal is to reset the analytics of the Admin-created campaign while logged in as a Contributor.

Step 1: Login as Contributor.
Use the http_request tool to perform a login and maintain the session.

Step 2: Obtain the REST Nonce.
Navigate to any admin page (e.g., /wp-admin/profile.php) and extract the nonce using browser_eval.

Step 3: Trigger the Reset.
Send a POST request to the reset endpoint.

• URL: http://[target]/wp-json/notificationx/v1/analytics/reset (or regenerate)
• Method: POST
• Headers:
  • Content-Type: application/json
  • X-WP-Nonce: [Extracted Nonce]
• Payload:

  {
    "id": [POST_ID_OF_ADMIN_CAMPAIGN]
  }
  

7. Expected Results

• Response Code: 200 OK or 204 No Content.
• Response Body: Likely a success message or the updated (zeroed) campaign object.
• Database Change: The analytics count for the targeted campaign should be reset to zero.

8. Verification Steps

1. Check via WP-CLI:
   Verify the analytics table directly. NotificationX uses custom tables.

   # Replace nx_analytics with the actual table name if different
   wp db query "SELECT count(*) FROM wp_nx_analytics WHERE notification_id = [POST_ID]"
   

   • Success Criteria: The count is 0 after the exploit, where it was > 0 before.
2. Check Admin UI:
   Log in as Admin and view the NotificationX "Analytics" dashboard; the numbers for the targeted campaign should be wiped.

9. Alternative Approaches

• Namespace Guessing: If notificationx/v1 is incorrect, grep the plugin folder for register_rest_route to find the exact namespace and endpoint names.
• Parameter Guessing: If the payload is not JSON, try application/x-www-form-urlencoded with the ID in the body.
• Other Endpoints: Check for similar unauthorized access on endpoints related to settings, export, or log deletion within the NotificationX REST namespace.

Grep Commands for Code Audit

If the environment permits, run these to confirm identifiers:

# Find REST route registrations
grep -rn "register_rest_route" wp-content/plugins/notificationx/

# Find the analytics reset callback
grep -rn "reset" wp-content/plugins/notificationx/ | grep "analytics"

# Check the capability used in permission_callback
grep -rn "permission_callback" wp-content/plugins/notificationx/ -A 5