CVE-2024-1698

Description

The NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor plugin for WordPress is vulnerable to SQL Injection via the 'type' parameter in all versions up to, and including, 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

NVD
Severity: N/A
CVE ID: CVE-2024-1698
CVSS Score: N/A
CVSS Metrics: NVD assessment not yet provided.

Wordfence
Severity: CRITICAL
CVE ID: CVE-2024-1698
CVSS Score: 9.8
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Refrence: NVD MITRE

Proof Of Concept

Nuclei Templates for CVE-2024-1698

Refrence: Project Discovery GitHub

kamranhasan

This is an exploit script to find out wordpress admin's username and password hash by exploiting CVE-2024-1698.

Refrence: GitHub

Content on GitHub

codeb0ss | watchers:1

CVE-2024-1698-PoC
Mass Exploit CVE-2024-1698 - Wordpress NotificationX <= 2.8.2 - SQL Injection

Refrence: GitHub

Description​

Proof Of Concept​

Content on GitHub​

Description

Proof Of Concept

Content on GitHub