Scan free
CRITICALCVE-2024-1698CVSS 9.8

CVE-2024-1698: SQL Injection in NotificationX Plugin

Platform

wordpress

Component

notificationx

Fixed in

2.8.3

AI Confidence: highNVDEPSS 93.7%Reviewed: May 2026
View on NVD
Save

CVE-2024-1698 describes a critical SQL Injection vulnerability affecting the NotificationX plugin for WordPress. This flaw allows unauthenticated attackers to inject malicious SQL queries, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions of the plugin up to and including 2.8.2. A patch is available to address this issue.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

The SQL Injection vulnerability in NotificationX allows attackers to directly manipulate database queries. An attacker could exploit this to extract sensitive information such as user credentials, customer data, order details, and potentially even WordPress administrative user information. Successful exploitation could lead to complete compromise of the WordPress site and its associated data. The lack of authentication required to trigger the vulnerability significantly increases the attack surface, making it a high-priority concern. This vulnerability shares similarities with other SQL Injection flaws where attackers can bypass security controls and gain unauthorized access to backend systems.

Exploitation Context

CVE-2024-1698 was publicly disclosed on February 27, 2024. Public proof-of-concept exploits are likely to emerge given the vulnerability's severity and ease of exploitation. The high CVSS score (9.8) indicates a critical risk. Monitor CISA and vendor advisories for updates and potential exploitation campaigns.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports1 threat report

EPSS

93.74% (100% percentile)

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H9.8CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentnotificationx
Vendorwpdevteam
Affected rangeFixed in
* – 2.8.22.8.3

Package Information

Active installs
40KKnown
Plugin rating
4.8
Requires WordPress
5.0+
Compatible up to
7.0
Requires PHP
5.6+
Homepage

Weakness Classification (CWE)

CWE-89

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Unpatched — 817 days since disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2024-1698 is to immediately upgrade the NotificationX plugin to a version that includes the security patch. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter out malicious SQL injection attempts targeting the 'type' parameter. Additionally, review and harden WordPress database user permissions to limit the potential damage from a successful attack. Monitor WordPress access logs for suspicious SQL queries.

How to fix

Update the NotificationX plugin to the latest available version. Version 2.8.3 or higher fixes the SQL Injection vulnerability. This will prevent unauthenticated attackers from extracting sensitive information from the database.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-1698 — SQL Injection in NotificationX Plugin?

CVE-2024-1698 is a critical SQL Injection vulnerability in the NotificationX WordPress plugin, allowing attackers to extract data from the database.

Am I affected by CVE-2024-1698 in NotificationX Plugin?

Yes, if you are using NotificationX plugin version 2.8.2 or earlier, you are vulnerable to this SQL Injection flaw.

How do I fix CVE-2024-1698 in NotificationX Plugin?

Upgrade the NotificationX plugin to the latest version that contains the security patch. Consider WAF rules as a temporary workaround.

Is CVE-2024-1698 being actively exploited?

While no active exploitation has been confirmed, the high severity and ease of exploitation suggest it is likely to be targeted soon.

Where can I find the official NotificationX advisory for CVE-2024-1698?

Check the NotificationX plugin website and WordPress plugin repository for the latest advisory and update information.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs