{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15380", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-30T21:36:36.412Z", "datePublished": "2026-01-20T14:26:33.859Z", "dateUpdated": "2026-04-08T17:11:27.627Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:11:27.627Z"}, "affected": [{"vendor": "wpdevteam", "product": "NotificationX \u2013 FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.2.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The NotificationX \u2013 FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via the 'nx-preview' POST parameter in all versions up to, and including, 3.2.0. This is due to insufficient input sanitization and output escaping when processing preview data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute when a user visits a malicious page that auto-submits a form to the vulnerable site."}], "title": "NotificationX <= 3.2.0 - Unauthenticated DOM-Based Cross-Site Scripting via 'nx-preview'", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9ca12315-380b-4251-b637-4e9d29df35e0?source=cve"}, {"url": "https://research.cleantalk.org/cve-2025-15380/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3433555%40notificationx&old=3426659%40notificationx&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "timeline": [{"time": "2025-12-23T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-12-30T22:14:52.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-20T01:49:23.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-20T14:48:09.377792Z", "id": "CVE-2025-15380", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T14:48:22.901Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-15380", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-20T14:48:09.377792Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T14:48:14.932Z"}}], "cna": {"title": "NotificationX <= 3.2.0 - Unauthenticated DOM-Based Cross-Site Scripting via 'nx-preview'", "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "wpdevteam", "product": "NotificationX \u2013 FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.2.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-23T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-12-30T22:14:52.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-20T01:49:23.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9ca12315-380b-4251-b637-4e9d29df35e0?source=cve"}, {"url": "https://research.cleantalk.org/cve-2025-15380/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3433555%40notificationx&old=3426659%40notificationx&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The NotificationX \u2013 FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via the 'nx-preview' POST parameter in all versions up to, and including, 3.2.0. This is due to insufficient input sanitization and output escaping when processing preview data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute when a user visits a malicious page that auto-submits a form to the vulnerable site."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:11:27.627Z"}}}, "cveMetadata": {"cveId": "CVE-2025-15380", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:11:27.627Z", "dateReserved": "2025-12-30T21:36:36.412Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-20T14:26:33.859Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The NotificationX \u2013 FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via the 'nx-preview' POST parameter in all versions up to, and including, 3.2.0. This is due to insufficient input sanitization and output escaping when processing preview data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute when a user visits a malicious page that auto-submits a form to the vulnerable site."}, {"lang": "es", "value": "El plugin NotificationX \u2013 FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner &amp; Floating Notification Bar para WordPress es vulnerable a cross-site scripting basado en DOM a trav\u00e9s del par\u00e1metro POST 'nx-preview' en todas las versiones hasta e incluyendo la 3.2.0. Esto se debe a una insuficiente sanitizaci\u00f3n de entrada y escape de salida al procesar datos de vista previa. Esto hace posible que atacantes no autenticados inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutan cuando un usuario visita una p\u00e1gina maliciosa que env\u00eda autom\u00e1ticamente un formulario al sitio vulnerable."}], "id": "CVE-2025-15380", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-20T15:16:15.767", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3433555%40notificationx&old=3426659%40notificationx&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://research.cleantalk.org/cve-2025-15380/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9ca12315-380b-4251-b637-4e9d29df35e0?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T16:15:01.647245+00:00", "value": {"mitigation_remediation": ["Upgrade the NotificationX plugin to the latest released version, which resolves the unsanitized handling of the 'nx-preview' parameter.", "If an immediate upgrade is not possible, configure a web\u2011application firewall or server\u2011side rule to block or strip the 'nx-preview' POST parameter, preventing the vulnerable code path from being executed.", "Disable or remove the preview functionality in the plugin\u2019s settings so that the 'nx-preview' endpoint is inaccessible from external requests."], "summary": {"action": "Immediate Patch", "impact": "DOM\u2011based Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed the NotificationX family of plugins \u2013 including the FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar variants \u2013 running any version up to and including 3.2.0. All affected instances expose the 'nx-preview' endpoint as part of the preview feature provided by the plugin.", "description_and_impact": "The NotificationX WordPress plugin is vulnerable to a DOM\u2011based Cross\u2011Site Scripting flaw when an attacker can set the 'nx-preview' POST parameter. The plugin fails to sanitize or escape this input, allowing arbitrary JavaScript to be injected into the browser when a user visits a malicious page that auto\u2011submits the form to the vulnerable site. This flaw permits unauthenticated attackers to run scripts in the context of the WordPress site, potentially leading to data theft, defacement, or session hijacking.", "risk_and_exploitability": "The flaw carries a CVSS score of 7.2, indicating a high-severity vulnerability. The EPSS score is below 1\u202f%, reflecting a low likelihood of exploitation at the time of analysis, and the issue is not yet listed in the CISA KEV catalog. Attackers can exploit the flaw through unauthenticated access by delivering a crafted POST request embedded in a malicious page that automatically sends the data to the site. The vulnerability does not require authentication but relies on a victim visiting the malicious page, after which the injected script executes in the victim\u2019s browser."}}}}, "created": "2026-01-21T11:19:25.379425+00:00", "updated": "2026-04-21T16:15:40.509345+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpdevteam", "wpdevteam$PRODUCT$notificationx"]}