CVE-2024-1698 (CVSS 9.8): Critical SQLi Flaw in NotificationX WordPress Plugin
A critical SQL injection vulnerability (CVE-2024-1698) was discovered in the widely used (over 30,000 installations) NotificationX WordPress plugin (versions up to and including 2.8.2). This flaw could enable unauthenticated attackers to inject malicious code and potentially gain complete control of affected websites. The vulnerability received a CVSS score of 9.8, classifying it as a critical security risk.
How the Exploit Works
The vulnerability originates from improper input sanitization in the plugin’s “type” parameter. Attackers can craft malicious SQL queries that manipulate the database, leading to the extraction of sensitive information.
SQL injection attacks work by manipulating database queries to extract information they shouldn’t have access to. In this case, attackers could potentially target sensitive data such as usernames, hashed passwords, customer information, and other confidential details stored in the WordPress database.
Security researcher Krzysztof Zając – CERT PL has been credited for reporting this flaw.
Consequences of Exploitation
The successful exploitation of this vulnerability could have severe consequences for website owners, including:
- Data Theft: Sensitive information could be stolen and sold on the dark web or used for identity theft.
- Website Defacement: Attackers could alter the website’s appearance or insert malicious content.
- Malware Distribution: The compromised website could be used to spread malware to visitors.
- Reputational Damage: A security breach can negatively impact a business’s reputation and customer trust.
Affected Versions
All versions of the NotificationX plugin up to and including 2.8.2 are vulnerable.
Importance of Preventative Action
While there are no reports of CVE-2024-1698 being actively exploited yet, unpatched plugins are prime targets for cybercriminals. Taking swift action to update the plugin and following security best practices will significantly minimize your website’s risk.
Mitigation
Plugin users must update to the patched version (2.8.3) as soon as possible. There is no known workaround to address this specific flaw.