## https://sploitus.com/exploit?id=021063E9-0EFC-5BB3-A717-3C9223961E61
# CVE-2024-1698 – NotificationX WordPress Plugin SQL Injection (Time‑Based Blind)
[](https://nvd.nist.gov/vuln/detail/CVE-2024-1698)
[](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
[](https://wordpress.org/plugins/notificationx/)
**Unauthenticated Time‑Based Blind SQL Injection** → Extract admin username & password hash from WordPress.
---
## 🧠 Vulnerability Overview
NotificationX versions **2.8.2 and below** suffer from improper input sanitization in the `type` parameter of the REST API endpoint:
`/wp-json/notificationx/v1/analytics`
An unauthenticated attacker can inject time‑based blind SQL queries. By measuring response delays, the attacker can extract:
- Admin **username**
- Admin **password hash** (phpass format, e.g., `$P$B...`)
No authentication, no user interaction. CVSS **9.8 (Critical)**.
---
## 🔧 How the Exploit Works (Time‑Based Blind SQLi)
1. **Length detection** – Injects `IF(LENGTH(...)=N, SLEEP(1), null)`. If response time > 1 second → length = N.
2. **Character extraction** – Uses `ASCII(SUBSTRING(...))` to brute‑force each character, again relying on `SLEEP()` timing.
3. **Password hash extraction** – Same method applied to `user_pass` column.
The hash can later be cracked offline with **John the Ripper** or **hashcat**.
---
## 📦 Requirements
- Python 3.6+
- `requests` library
- Target WordPress with NotificationX ≤ 2.8.2 (unpatched)
---
## 🚀 Quick Start
### 1. Clone the repository
```bash
git clone https://github.com/kamranhasan/CVE-2024-1698-Exploit.git
cd CVE-2024-1698-Exploit