Description
Missing Authorization vulnerability in App Cheap Push notification for Mobile and Web app push-notification-mobile-and-web-app allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Push notification for Mobile and Web app: from n/a through <= 2.0.3.
Published: 2025-05-16
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing authorization flaw in App Cheap’s Push notification for Mobile and Web app plugin lets attackers exploit incorrectly configured access control security levels. The vulnerability allows an attacker to perform actions that should be restricted, potentially granting unauthorized control over push notification configuration and delivery. The weakness is a classic Missing Authorization issue, which can expose sensitive operations if left unpatched.

Affected Systems

The affected product is App Cheap’s Push notification for Mobile and Web app plugin, versions from the earliest release through version 2.0.3. All instances of the plugin within that version range are impacted.

Risk and Exploitability

The CVSS score of 6.5 categorizes the flaw as moderately severe. The EPSS score of less than 1% indicates a low probability of exploitation at the time of assessment, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is remote, through web requests to the plugin’s endpoints, allowing an attacker to exploit the missing authorization once the plugin is installed and accessed, even by users lacking proper privileges. Given the nature of the flaw—incorrectly configured access controls—any authenticated or possibly unauthenticated user could gain elevated capabilities.

Generated by OpenCVE AI on April 30, 2026 at 12:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Push notification for Mobile and Web app plugin to version 2.0.4 or newer to address the missing authorization flaw.
  • If an upgrade cannot be performed immediately, disable or remove the plugin to eliminate the attack surface.
  • Review and tighten the plugin’s access control settings, ensuring that only authorized users can manage push notifications and that security levels are correctly enforced.
  • Continuously monitor site logs for any unauthorized attempts to access or modify push notification settings.

Generated by OpenCVE AI on April 30, 2026 at 12:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15519 Missing Authorization vulnerability in App Cheap Push notification for Mobile and Web app allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Push notification for Mobile and Web app: from n/a through 2.0.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in App Cheap Push notification for Mobile and Web app allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Push notification for Mobile and Web app: from n/a through 2.0.3. Missing Authorization vulnerability in App Cheap Push notification for Mobile and Web app push-notification-mobile-and-web-app allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Push notification for Mobile and Web app: from n/a through <= 2.0.3.
Title WordPress Push notification for Mobile and Web app <= 2.0.3 - Broken Access Control Vulnerability WordPress Push notification for Mobile and Web app plugin <= 2.0.3 - Broken Access Control vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Fri, 16 May 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 16 May 2025 16:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in App Cheap Push notification for Mobile and Web app allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Push notification for Mobile and Web app: from n/a through 2.0.3.
Title WordPress Push notification for Mobile and Web app <= 2.0.3 - Broken Access Control Vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:52.100Z

Reserved: 2025-05-15T18:01:28.792Z

Link: CVE-2025-48127

cve-icon Vulnrichment

Updated: 2025-05-16T16:37:31.115Z

cve-icon NVD

Status : Deferred

Published: 2025-05-16T16:15:44.507

Modified: 2026-04-23T15:30:50.703

Link: CVE-2025-48127

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T13:00:13Z

Weaknesses