CVE-2025-15380
NotificationX <= 3.2.0 - Unauthenticated DOM-Based Cross-Site Scripting via 'nx-preview'
The NotificationX – FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via the 'nx-preview' POST parameter in all versions up to, and including, 3.2.0. This is due to insufficient input sanitization and output escaping when processing preview data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute when a user visits a malicious page that auto-submits a form to the vulnerable site.
| CWE | CWE-79 |
| Vendor | wpdevteam |
| Product | notificationx – fomo, live sales notification, woocommerce sales popup, gdpr, social proof, announcement banner & floating notification bar |
| Published | Jan 20, 2026 |
| Last Updated | Apr 8, 2026 |
Get instant alerts for wpdevteam notificationx – fomo, live sales notification, woocommerce sales popup, gdpr, social proof, announcement banner & floating notification bar
Be the first to know when new high vulnerabilities affecting wpdevteam notificationx – fomo, live sales notification, woocommerce sales popup, gdpr, social proof, announcement banner & floating notification bar are published — delivered to Slack, Telegram or Discord.
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N