Description
Cross-Site Request Forgery (CSRF) vulnerability in gtlwpdev All push notification for WP all-push-notification allows Blind SQL Injection.This issue affects All push notification for WP: from n/a through <= 1.5.3.
Published: 2025-04-09
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cross‑Site Request Forgery allows an attacker to trigger a Blind SQL Injection in the All push notification for WP plugin. The flaw enables arbitrary manipulation or exfiltration of the WordPress database, potentially revealing sensitive user information or corrupting site data. The vulnerability’s use of unchecked input is catalogued as CWE‑352.

Affected Systems

WordPress sites using the gtlwpdev All push notification for WP plugin with versions up to and including 1.5.3 are affected. No other platforms or products are listed.

Risk and Exploitability

The reported CVSS score of 8.2 classifies the issue as high severity. The EPSS score of less than 1% suggests that exploitation is currently unlikely, and the vulnerability is not yet in CISA’s KEV catalog. Nevertheless, the CSRF nature means an attacker can force a victim’s browser to initiate the injection, so any user with site access can be the target. If the plugin’s CSRF protection is bypassed, the attacker can craft a request that manipulates database contents or reads data. The combination of high impact and low known exploitation probability calls for proactive mitigation.

Generated by OpenCVE AI on May 1, 2026 at 10:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to a version newer than 1.5.3 as released by the vendor.
  • If a patch is not currently available, deactivate or uninstall the plugin to eliminate the attack surface.
  • Implement strict Cross‑Site Request Forgery protections on the site, such as using the WordPress REST API nonce system or security plugins that enforce CSRF tokens for all state‑changing requests.

Generated by OpenCVE AI on May 1, 2026 at 10:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10596 Cross-Site Request Forgery (CSRF) vulnerability in gtlwpdev All push notification for WP allows Blind SQL Injection. This issue affects All push notification for WP: from n/a through 1.5.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in gtlwpdev All push notification for WP allows Blind SQL Injection. This issue affects All push notification for WP: from n/a through 1.5.3. Cross-Site Request Forgery (CSRF) vulnerability in gtlwpdev All push notification for WP all-push-notification allows Blind SQL Injection.This issue affects All push notification for WP: from n/a through <= 1.5.3.
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:L'}

Thu, 10 Apr 2025 08:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 09 Apr 2025 16:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in gtlwpdev All push notification for WP allows Blind SQL Injection. This issue affects All push notification for WP: from n/a through 1.5.3.
Title WordPress All push notification for WP Plugin <= 1.5.3 - CSRF to SQL Injection vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:04:51.552Z

Reserved: 2025-04-09T11:19:56.431Z

Link: CVE-2025-32547

cve-icon Vulnrichment

Updated: 2025-04-09T17:41:18.529Z

cve-icon NVD

Status : Deferred

Published: 2025-04-09T17:15:44.930

Modified: 2026-04-23T15:29:05.007

Link: CVE-2025-32547

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T11:00:15Z

Weaknesses