{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0554", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-01T20:31:15.582Z", "datePublished": "2026-01-20T14:26:34.215Z", "dateUpdated": "2026-04-08T17:29:28.505Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:29:28.505Z"}, "affected": [{"vendor": "wpdevteam", "product": "NotificationX \u2013 FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.1.11", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The NotificationX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'regenerate' and 'reset' REST API endpoints in all versions up to, and including, 3.1.11. This makes it possible for authenticated attackers, with Contributor-level access and above, to reset analytics for any NotificationX campaign, regardless of ownership."}], "title": "NotificationX <= 3.1.11 - Missing Authorization to Authenticated (Contributor+) Analytics Reset", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e3cd843b-ab38-45c4-a661-78d4e6db5201?source=cve"}, {"url": "https://research.cleantalk.org/cve-2026-0554"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3433555%40notificationx&old=3426659%40notificationx&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "timeline": [{"time": "2025-12-24T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-01-01T20:48:34.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-20T01:50:24.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-20T14:46:11.424620Z", "id": "CVE-2026-0554", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T14:47:07.305Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0554", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-20T14:46:11.424620Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T14:46:58.726Z"}}], "cna": {"title": "NotificationX <= 3.1.11 - Missing Authorization to Authenticated (Contributor+) Analytics Reset", "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "wpdevteam", "product": "NotificationX \u2013 FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.1.11"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-24T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-01-01T20:48:34.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-20T01:50:24.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e3cd843b-ab38-45c4-a661-78d4e6db5201?source=cve"}, {"url": "https://research.cleantalk.org/cve-2026-0554"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3433555%40notificationx&old=3426659%40notificationx&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The NotificationX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'regenerate' and 'reset' REST API endpoints in all versions up to, and including, 3.1.11. This makes it possible for authenticated attackers, with Contributor-level access and above, to reset analytics for any NotificationX campaign, regardless of ownership."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:29:28.505Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0554", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:29:28.505Z", "dateReserved": "2026-01-01T20:31:15.582Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-20T14:26:34.215Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The NotificationX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'regenerate' and 'reset' REST API endpoints in all versions up to, and including, 3.1.11. This makes it possible for authenticated attackers, with Contributor-level access and above, to reset analytics for any NotificationX campaign, regardless of ownership."}, {"lang": "es", "value": "El plugin NotificationX para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a una comprobaci\u00f3n de capacidad faltante en los endpoints de la API REST 'regenerate' y 'reset' en todas las versiones hasta la 3.1.11, inclusive. Esto permite a atacantes autenticados, con acceso de nivel Colaborador y superior, restablecer las anal\u00edticas para cualquier campa\u00f1a de NotificationX, independientemente de la propiedad."}], "id": "CVE-2026-0554", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-20T15:20:06.853", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3433555%40notificationx&old=3426659%40notificationx&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://research.cleantalk.org/cve-2026-0554"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e3cd843b-ab38-45c4-a661-78d4e6db5201?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T02:08:53.177732+00:00", "value": {"mitigation_remediation": ["Verify the installed NotificationX plugin version and check the vendor\u2019s website or plugin repository for an official update that addresses the missing authorization check.", "If an update is not immediately available, remove or limit the REST API permissions for Contributor roles, ensuring that only administrators can access the analytics reset endpoints.", "Monitor the plugin and WordPress environment for new releases or security advisories and apply updates promptly."], "summary": {"action": "Check Update", "impact": "Unauthorized analytics reset by authenticated users with Contributor-level access"}, "threat_synthesis": {"affected_systems": "The plugin affected is NotificationX, including variants such as FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner, and Floating Notification Bar from wpdevteam. Versions up to and including 3.1.11 are vulnerable; these releases are available for WordPress sites that have installed the plugin. No specific operating system or WordPress version is singled out beyond the plugin version.", "description_and_impact": "The NotificationX plugin for WordPress contains a missing capability check on the REST API endpoints used for regenerating and resetting campaign analytics. Because of this omission, authenticated users who hold Contributor privileges or higher can trigger a reset of the analytics for any NotificationX campaign, even if the user does not own that campaign. This allows the attacker to modify data, potentially erasing valuable tracking information and undermining the accuracy of campaign metrics, while preserving confidentiality and integrity of other site data.", "risk_and_exploitability": "This issue has a CVSS base score of 4.3, reflecting moderate severity because only analytics data can be altered. The EPSS score is below 1%, indicating a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog, so there is no evidence of widespread exploitation yet. Nevertheless, attackers who can reach a WordPress site with Contributor or higher roles could trigger the reset via the exposed REST endpoints once the missing capability check is bypassed. No additional preconditions beyond authenticated access are required, and the affected functionality is reachable through normal REST routes."}}}}, "created": "2026-01-21T11:19:05.226191+00:00", "updated": "2026-04-16T02:15:21.332909+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}