The NotificationX plugin for WordPress contains a missing capability check on the REST API endpoints used for regenerating and resetting campaign analytics. Because of this omission, authenticated users who hold Contributor privileges or higher can trigger a reset of the analytics for any NotificationX campaign, even if the user does not own that campaign. This allows the attacker to modify data, potentially erasing valuable tracking information and undermining the accuracy of campaign metrics, while preserving confidentiality and integrity of other site data.

The plugin affected is NotificationX, including variants such as FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner, and Floating Notification Bar from wpdevteam. Versions up to and including 3.1.11 are vulnerable; these releases are available for WordPress sites that have installed the plugin. No specific operating system or WordPress version is singled out beyond the plugin version.

This issue has a CVSS base score of 4.3, reflecting moderate severity because only analytics data can be altered. The EPSS score is below 1%, indicating a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog, so there is no evidence of widespread exploitation yet. Nevertheless, attackers who can reach a WordPress site with Contributor or higher roles could trigger the reset via the exposed REST endpoints once the missing capability check is bypassed. No additional preconditions beyond authenticated access are required, and the affected functionality is reachable through normal REST routes.