CVE-2025-15380 Overview
CVE-2025-15380 is a DOM-Based Cross-Site Scripting (XSS) vulnerability affecting the NotificationX WordPress plugin, a popular extension used for displaying FOMO notifications, live sales popups, social proof elements, and announcement banners. The vulnerability exists in the nx-preview POST parameter and affects all versions up to and including 3.2.0.
This vulnerability stems from insufficient input sanitization and output escaping when the plugin processes preview data. Due to the DOM-based nature of this XSS flaw, unauthenticated attackers can craft malicious pages that auto-submit forms to vulnerable WordPress sites, causing arbitrary JavaScript to execute in the context of visiting users' browsers.
Critical Impact
Unauthenticated attackers can inject arbitrary web scripts that execute when users visit malicious pages, potentially leading to session hijacking, credential theft, site defacement, or malware distribution.
Affected Products
- NotificationX WordPress Plugin versions up to and including 3.2.0
- WordPress sites with vulnerable NotificationX installations
- WooCommerce integrations utilizing NotificationX for sales popups
Discovery Timeline
- January 20, 2026 - CVE-2025-15380 published to NVD
- January 20, 2026 - Last updated in NVD database
Technical Details for CVE-2025-15380
Vulnerability Analysis
The NotificationX plugin implements a preview functionality that allows administrators to preview notification configurations before publishing them. The vulnerable code path processes data submitted via the nx-preview POST parameter and renders it directly within the Document Object Model (DOM) without adequate sanitization or encoding.
This DOM-Based XSS vulnerability differs from traditional reflected or stored XSS in that the malicious payload is processed entirely on the client side. The JavaScript code within the page reads the attacker-controlled input from the POST parameter and writes it to the DOM, where it gets interpreted and executed by the browser.
The attack does not require authentication, which significantly increases its severity. An attacker can host a malicious webpage containing a hidden form that automatically submits to the vulnerable WordPress endpoint when a victim visits the attacker's page. This cross-origin form submission technique bypasses same-origin restrictions because HTML forms do not follow CORS policies.
Root Cause
The root cause of this vulnerability is the failure to properly sanitize user-supplied input and escape output when handling the nx-preview POST parameter. The plugin's preview functionality accepts data from untrusted sources and incorporates it into the rendered page without applying appropriate encoding or content security measures.
Specifically, the vulnerability occurs because:
- The plugin accepts preview data through a POST parameter accessible without authentication
- Input validation does not adequately filter or sanitize potentially malicious content
- Output escaping is missing or insufficient when the preview data is rendered to the DOM
- The DOM manipulation functions directly insert unescaped content into the page structure
Attack Vector
The attack leverages a cross-site form submission technique. An attacker creates a malicious webpage hosted on their own infrastructure containing a hidden HTML form. This form targets the vulnerable WordPress site's preview endpoint and includes a crafted payload in the nx-preview parameter containing malicious JavaScript.
When a victim visits the attacker's malicious page, JavaScript automatically submits the hidden form to the vulnerable WordPress site. The victim's browser sends the request (including any WordPress authentication cookies if the user is logged in), and the response page renders with the injected script executing in the context of the WordPress domain.
The attacker's injected scripts can then access sensitive data within the WordPress site's origin, including authentication tokens, session cookies, and the ability to perform actions as the authenticated user.
For detailed technical analysis, refer to the CleanTalk CVE-2025-15380 Analysis and the Wordfence Vulnerability Report.
Detection Methods for CVE-2025-15380
Indicators of Compromise
- Unusual POST requests to WordPress endpoints containing the nx-preview parameter with encoded JavaScript or HTML content
- Web server logs showing requests with suspicious payloads containing <script>, javascript:, onerror=, or similar XSS patterns in the nx-preview field
- User reports of unexpected behavior, redirects, or pop-ups when interacting with NotificationX preview functionality
- Browser console errors indicating blocked inline scripts if Content Security Policy is enabled
Detection Strategies
- Deploy Web Application Firewall (WAF) rules to detect and block POST requests containing XSS payloads in the nx-preview parameter
- Implement monitoring for HTTP POST requests to NotificationX preview endpoints with anomalous or encoded content
- Enable Content Security Policy headers to restrict inline script execution and report policy violations
- Utilize SentinelOne Singularity platform for endpoint-level detection of malicious script execution patterns
Monitoring Recommendations
- Review web server access logs for POST requests targeting NotificationX preview functionality with unusual payload sizes or encoded content
- Configure alerting for multiple failed XSS attempts from single IP addresses or referrers
- Monitor for unexpected external domain references or data exfiltration attempts in browser-based security tools
- Implement regular vulnerability scanning of WordPress installations to identify unpatched plugin versions
How to Mitigate CVE-2025-15380
Immediate Actions Required
- Update NotificationX plugin to the latest patched version immediately
- Audit WordPress site logs for potential exploitation attempts targeting the nx-preview parameter
- Implement Content Security Policy headers with strict inline script restrictions
- Consider temporarily disabling the NotificationX plugin until the update is applied if immediate patching is not possible
Patch Information
The vulnerability has been addressed by the plugin developers. The patch can be reviewed in the WordPress Plugin Changeset comparing revisions 3426659 and 3433555. Site administrators should update to the latest version of NotificationX that includes the security fix.
To update the plugin:
- Navigate to the WordPress admin dashboard
- Go to Plugins → Installed Plugins
- Locate NotificationX and click "Update Now" if an update is available
- Verify the plugin version is newer than 3.2.0 after updating
Workarounds
- Implement a Web Application Firewall with rules to block requests containing XSS payloads in POST parameters
- Add Content Security Policy headers to prevent inline script execution: Content-Security-Policy: script-src 'self';
- Restrict access to WordPress admin and preview endpoints via IP allowlisting if the plugin must remain active
- Temporarily deactivate the NotificationX plugin until the update can be applied
# Add Content Security Policy headers in Apache .htaccess
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';"
# Or in Nginx configuration
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';";
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
