CVE-2025-15380 is a DOM-based Cross-Site Scripting vulnerability identified in the WordPress plugin NotificationX – a widely used tool for displaying live sales notifications, social proof, GDPR banners, and other marketing popups. The vulnerability stems from insufficient sanitization and escaping of the 'nx-preview' POST parameter, which is used during previewing notification content. An attacker can craft a malicious web page that auto-submits a form containing a payload in this parameter to the vulnerable WordPress site. Because the plugin processes this input insecurely, the injected script executes in the context of the victim's browser when visiting the malicious page, leading to DOM-based XSS. This attack vector requires no authentication or user interaction, increasing its severity. The vulnerability affects all versions up to and including 3.2.0 of NotificationX. The CVSS 3.1 base score is 7.2, reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and a scope change due to the potential impact on other components. The impact includes partial confidentiality and integrity loss, as attackers can steal cookies, session tokens, or perform actions on behalf of the user. No patches or exploit code are currently publicly available, but the vulnerability is published and should be treated as a high priority for remediation. NotificationX is popular among WordPress sites that use WooCommerce and marketing tools, making e-commerce platforms particularly vulnerable. The vulnerability highlights the importance of proper input validation and output encoding in web applications, especially plugins that handle dynamic content injection.

For European organizations, especially those operating e-commerce platforms or marketing websites using WordPress and NotificationX, this vulnerability poses a significant risk. Successful exploitation can lead to session hijacking, theft of sensitive user data, unauthorized actions on behalf of users, and potential defacement or redirection attacks. This can damage brand reputation, lead to regulatory non-compliance (e.g., GDPR violations due to data leakage), and cause financial losses. The vulnerability’s unauthenticated and no user interaction requirements increase the likelihood of automated exploitation attempts. Given the widespread use of WordPress in Europe and the popularity of WooCommerce, many SMEs and large enterprises could be affected. Additionally, the scope change in the CVSS vector indicates that the vulnerability could impact other components or users beyond the immediate plugin context, amplifying the potential damage. While no known exploits are currently reported, the public disclosure increases the risk of future exploitation, necessitating proactive defense measures.

1. Monitor the NotificationX plugin vendor’s announcements closely and apply security patches immediately once they become available. 2. If patches are not yet released, consider temporarily disabling the NotificationX plugin or the preview functionality that processes the 'nx-preview' POST parameter to eliminate the attack surface. 3. Implement strict Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on the website. 4. Use Web Application Firewalls (WAFs) with custom rules to detect and block suspicious POST requests containing malicious payloads targeting the 'nx-preview' parameter. 5. Conduct regular security audits and penetration testing focusing on input validation and output encoding in all plugins and themes. 6. Educate web administrators and developers about secure coding practices, especially regarding DOM-based XSS vectors. 7. Employ security plugins that can detect and mitigate XSS attacks in WordPress environments. 8. Review user session management and cookie security settings to minimize the impact of potential session hijacking.