Description
The OneSignal – Web Push Notifications plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the settings handling functionality in all versions up to, and including, 3.6.1. This is due to the plugin processing POST requests without verifying user capabilities or nonces. This makes it possible for unauthenticated attackers to overwrite the OneSignal App ID, REST API key, and notification behavior via direct POST requests.
Published: 2025-12-15
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized configuration change
Action: Update Plugin
AI Analysis

Impact

The vulnerability arises from a missing capability check in the OneSignal – Web Push Notifications WordPress plugin. The plugin processes POST requests without verifying user permissions or nonces, allowing an unauthenticated attacker to overwrite critical settings such as the OneSignal App ID, the REST API key, and the notification behavior. This flaw compromises the integrity of the plugin configuration and may expose sensitive credentials or alter how notifications are sent, potentially facilitating phishing or data exfiltration attacks.

Affected Systems

All WordPress installations using the OneSignal – Web Push Notifications plugin, including every version up to and including 3.6.1. The affected product is the OneSignal – Web Push Notifications plugin for WordPress, as supplied by OneSignal.

Risk and Exploitability

The CVSS score of 5.3 reflects a moderate severity, while the EPSS score of less than 1% indicates a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The attack vector is remote, unauthenticated: an attacker can send crafted HTTP POST requests to the plugin’s settings endpoint, bypassing authentication checks and changing configuration data. The consequence is a compromise of configuration integrity and potential exposure of API credentials, which can be leveraged for further attacks such as unauthorized notification delivery or credential theft.

Generated by OpenCVE AI on April 20, 2026 at 21:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the OneSignal – Web Push Notifications plugin to a version that implements proper capability checks (any release newer than 3.6.1).
  • Verify that the plugin’s settings endpoint no longer accepts unauthenticated POST requests by testing or inspecting the plugin’s code after the upgrade.
  • After updating, audit and, if necessary, reset the OneSignal App ID, REST API key, and notification settings to ensure they have not been tampered with.

Generated by OpenCVE AI on April 20, 2026 at 21:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Dec 2025 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Onesignal
Onesignal web Push Notifications
Wordpress
Wordpress wordpress
Vendors & Products Onesignal
Onesignal web Push Notifications
Wordpress
Wordpress wordpress

Mon, 15 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 15 Dec 2025 14:45:00 +0000

Type Values Removed Values Added
Description The OneSignal – Web Push Notifications plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the settings handling functionality in all versions up to, and including, 3.6.1. This is due to the plugin processing POST requests without verifying user capabilities or nonces. This makes it possible for unauthenticated attackers to overwrite the OneSignal App ID, REST API key, and notification behavior via direct POST requests.
Title OneSignal – Web Push Notifications <= 3.6.1 - Missing Authorization to Unauthenticated Plugin Settings Update
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Onesignal Web Push Notifications
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:24:36.767Z

Reserved: 2025-12-03T09:44:06.039Z

Link: CVE-2025-13950

cve-icon Vulnrichment

Updated: 2025-12-15T15:24:44.726Z

cve-icon NVD

Status : Deferred

Published: 2025-12-15T15:15:48.810

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13950

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:30:18Z

Weaknesses