CVSS: 9.8EPSS: 4%CPEs: 1EXPL: 1CVE-2022-0349 – NotificationX < 2.3.9 - Unauthenticated Blind SQL Injection
https://notcve.org/view.php?id=CVE-2022-0349
02 Feb 2022 — The NotificationX WordPress plugin before 2.3.9 does not sanitise and escape the nx_id parameter before using it in a SQL statement, leading to an Unauthenticated Blind SQL Injection El plugin NotificationX de WordPress versiones anteriores a 2.3.9, no sanea y escapa del parámetro nx_id antes de usarlo en una sentencia SQL, conllevando a una inyección SQL ciega no autenticada The NotificationX WordPress plugin before 2.3.9 does not sanitise and escape the nx_id parameter before using it in a SQL statement, ... • https://wpscan.com/vulnerability/1d0dd7be-29f3-4043-a9c6-67d02746463a • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2020-36744 – NotificationX <= 1.8.2 - Cross-Site Request Forgery Bypass
https://notcve.org/view.php?id=CVE-2020-36744
16 Sep 2020 — The NotificationX plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.8.2. This is due to missing or incorrect nonce validation on the generate_conversions() function. This makes it possible for unauthenticated attackers to generate conversions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks • CWE-352: Cross-Site Request Forgery (CSRF) •