Description
Cross-Site Request Forgery (CSRF) vulnerability in gtlwpdev All push notification for WP all-push-notification allows Reflected XSS.This issue affects All push notification for WP: from n/a through <= 1.5.3.
Published: 2025-04-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cross‑Site Request Forgery in the All push notification for WP plugin allows an attacker to generate a reflected XSS payload. The flaw can execute arbitrary JavaScript in the context of a victim’s browser, potentially stealing session cookies, defacing the site, or conducting further attacks on behalf of the victim. The weakness is a classic reflected XSS driven by an unauthenticated CSRF vector, as identified by CWE‑352.

Affected Systems

The vulnerability affects the WordPress All push notification for WP plugin from the earliest release through version 1.5.3. Sites running this plugin version are therefore exposed.

Risk and Exploitability

The CVSS score of 7.1 indicates a medium‑to‑high severity. The EPSS score of less than 1 % suggests a low probability of real‑world exploitation at this time, and the issue is not currently listed in the CISA KEV catalog. Based on the description, the likely attack vector involves an attacker sending a crafted link or form to a legitimate user, and when the user processes the request, the reflected script executes. Because the flaw is triggered by the plugin’s CSRF mechanism, privileged users of the site who interact with the plugin’s interface are the most likely target.

Generated by OpenCVE AI on May 2, 2026 at 02:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest version of the All push notification for WP plugin available from the vendor to remove the CSRF‑triggered XSS vulnerability.
  • If an update is not available, disable or deactivate the plugin until the fix is released.
  • Deploy a site‑wide Content Security Policy that restricts script sources to mitigate the impact of any remaining reflected XSS attempts.

Generated by OpenCVE AI on May 2, 2026 at 02:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11675 Cross-Site Request Forgery (CSRF) vulnerability in gtlwpdev All push notification for WP allows Reflected XSS. This issue affects All push notification for WP: from n/a through 1.5.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in gtlwpdev All push notification for WP allows Reflected XSS. This issue affects All push notification for WP: from n/a through 1.5.3. Cross-Site Request Forgery (CSRF) vulnerability in gtlwpdev All push notification for WP all-push-notification allows Reflected XSS.This issue affects All push notification for WP: from n/a through <= 1.5.3.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 17 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 16:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in gtlwpdev All push notification for WP allows Reflected XSS. This issue affects All push notification for WP: from n/a through 1.5.3.
Title WordPress All push notification for WP Plugin <= 1.5.3 - CSRF to Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:24.051Z

Reserved: 2025-04-09T11:19:56.431Z

Link: CVE-2025-32546

cve-icon Vulnrichment

Updated: 2025-04-17T18:06:29.703Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:42.973

Modified: 2026-04-23T15:29:04.893

Link: CVE-2025-32546

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T02:15:31Z

Weaknesses