According to Roger Montti’s report on Search Engine Journal, “NotificationX WordPress WooCommerce Plugin Vulnerabilities Impact 40k Sites,” a high-severity security vulnerability has been disclosed in the NotificationX FOMO plugin for WordPress and WooCommerce, affecting more than 40,000 websites.
Vulnerability Overview
Montti reports that the primary flaw, rated 7.2 (High), allows unauthenticated attackers to inject malicious JavaScript into affected sites. The attack does not require a WordPress account or any user privileges and can be triggered when a victim visits a specially crafted malicious page.
NotificationX is widely used on marketing and eCommerce sites to display popups, sales notifications, announcement banners, and other “social proof” elements designed to influence visitor behavior.
Root Cause: DOM-Based Cross-Site Scripting (XSS)
The vulnerability stems from a DOM-based Cross-Site Scripting (XSS) flaw in how the plugin processes preview data. Specifically, NotificationX accepts input through the nx-preview POST parameter without properly sanitizing or escaping it before rendering it in the browser.
As Montti explains, this allows attacker-controlled input to be treated as executable JavaScript rather than harmless preview content. If exploited, malicious scripts can execute in a visitor’s browser under the context of the affected site.
Potential Impact
If successfully exploited, attackers could:
- Hijack logged-in administrator or editor sessions
- Perform actions on behalf of authenticated users.
- Redirect visitors to malicious or fraudulent websites.
- Access sensitive information available through the browser
Because the attack relies on tricking users into visiting a malicious page, it is classified as a client-side exploit. Yet, it still poses serious risks to both site owners and visitors.
Affected Versions and Patch
All versions of NotificationX up to and including 3.2.0 are vulnerable. The issue was patched in version 3.2.1, which includes security fixes addressing the XSS flaw.
Montti notes that site owners who cannot update immediately should disable the plugin until the patched version can be applied.
Additional Medium-Severity Issue
Montti also highlights a second vulnerability affecting NotificationX, rated 4.3 (Medium). This flaw involves missing capability checks on REST API endpoints used to reset or regenerate campaign analytics. While it requires authenticated access at the Contributor level or higher and does not allow site takeover, it could still allow attackers to manipulate or erase analytics data.
Updating to version 3.2.1 or later resolves both vulnerabilities.
What Site Owners Should Do
WordPress and WooCommerce site owners using NotificationX are strongly advised to update immediately. Leaving vulnerable versions active exposes sites to client-side attacks that can be difficult to detect and may compromise users, site administrators, and marketing data.
As Montti’s reporting underscores, even plugins focused on frontend notifications can introduce significant security risks if input handling and permission checks are not strictly enforced.