CVE-2020-36744: 
WordPress vulnerability analysis and mitigation

The NotificationX WordPress plugin versions up to and including 1.8.2 contains a Cross-Site Request Forgery (CSRF) vulnerability. The vulnerability exists due to missing or incorrect nonce validation in the generate_conversions() function. This security issue was discovered and reported by Jerome Bruandet from NinTechNet in September 2020 (NinTechNet Blog).

The vulnerability stems from improper implementation of WordPress security nonces in the generateconversions() function. Specifically, the code checks for nonce validation only if the nonce is not set, using the condition `if(!isset($POST['nonce']) && !wpverifynonce($POST['nonce'], 'nxfrontend_nonce'))`, which creates a logical flaw that allows bypassing the security check (Wordfence). The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N (NVD).

The vulnerability allows unauthenticated attackers to generate conversions via forged requests if they can trick a site administrator into performing specific actions, such as clicking on a malicious link. This could lead to manipulation of conversion data and potentially affect the site's analytics and reporting (NVD).

The recommended mitigation is to update the NotificationX plugin to a version newer than 1.8.2. The vulnerability has been fixed in subsequent releases by properly implementing nonce validation (NVD).