– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2025-15380:
The NotificationX WordPress plugin version 3.2.0 and earlier contains an unauthenticated DOM-based cross-site scripting (XSS) vulnerability. The vulnerability exists in the preview functionality, allowing attackers to inject arbitrary JavaScript via the ‘nx-preview’ POST parameter. This flaw receives a CVSS score of 7.2 (High) due to its unauthenticated nature and potential for client-side code execution.

The root cause is insufficient input sanitization and output escaping in the `get_settings()` method within the `Preview` class. The vulnerable code path is located in `notificationx/includes/FrontEnd/Preview.php` at lines 336-337. The method directly decodes and parses the `$_POST[‘nx-preview’]` parameter without performing any validation or sanitization. The parameter contains base64-encoded JSON data that the plugin processes and renders directly into the DOM, enabling script injection.

Exploitation occurs when an attacker crafts a malicious web page containing a form that auto-submits to the NotificationX preview endpoint. The attacker sets the `nx-preview` POST parameter to a base64-encoded JSON payload containing JavaScript. When a victim visits the malicious page, their browser automatically submits the form to the vulnerable WordPress site. The plugin processes the payload and renders it unsanitized, executing the attacker’s JavaScript in the context of the victim’s session on the target site.

The patch modifies the `get_settings()` method in `notificationx/includes/FrontEnd/Preview.php`. The updated code adds multiple security checks: it verifies the POST parameter exists, uses `wp_unslash()` to remove slashes, validates the base64 decoding succeeded, ensures the JSON decodes to an array, and applies recursive sanitization using `wp_strip_all_tags()` on all string values. These changes prevent script injection by removing HTML tags from user-supplied data before rendering.

Successful exploitation allows attackers to execute arbitrary JavaScript in the context of any user visiting a malicious page. This can lead to session hijacking, administrative account takeover, content manipulation, or redirection to phishing sites. The attack requires no authentication and can target any WordPress site running the vulnerable plugin version.