Description
The WP Firebase Push Notification plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the wfpn_brodcast_notification_message() function. This makes it possible for unauthenticated attackers to send broadcast notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-07-04
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery enabling unauthorized broadcast notifications
Action: Update Plugin
AI Analysis

Impact

The WP Firebase Push Notification WordPress plugin contains a CSRF flaw in all releases up to and including version 1.2.0. Missing or incorrect nonce validation on the broadcast function permits an attacker to forge a request that, if a site administrator is tricked into clicking a link, will cause the site to send a notification to all users. The primary impact is the ability to distribute spam or phishing messages without the administrator’s consent, which undermines the confidentiality and trust of the notification system. This weakness is classified as CWE-352.

Affected Systems

All installations of the WP Firebase Push Notification plugin from skywaveinfo that use version 1.2.0 or earlier are affected. The plugin should be upgraded to a later release where nonce handling has been corrected.

Risk and Exploitability

The CVSS score of 4.3 reflects a moderate severity. The EPSS score of less than 1% indicates a low probability that this vulnerability will be actively exploited at this time, and it is not listed in CISA’s KEV catalog. The attack vector is most likely limited to websites that allow an administrator to follow a malicious link, making the exploitation scenario plausible but not highly probable. Nonetheless, the potential damage from unsolicited broadcast messages warrants prompt attention.

Generated by OpenCVE AI on April 21, 2026 at 19:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP Firebase Push Notification plugin to the latest release (≥1.2.1) where nonce validation is fixed.
  • If an immediate update is not possible, disable or restrict the broadcast endpoint so that only users with administrator capabilities can trigger notifications.
  • Deploy a web‑application firewall rule or custom server‑side check to block requests to the broadcast action that lack a valid nonce, providing an additional layer of CSRF protection.

Generated by OpenCVE AI on April 21, 2026 at 19:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19916 The WP Firebase Push Notification plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the wfpn_brodcast_notification_message() function. This makes it possible for unauthenticated attackers to send broadcast notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Thu, 10 Jul 2025 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Skywavesolutions
Skywavesolutions wp Firebase Push Notification
CPEs cpe:2.3:a:skywavesolutions:wp_firebase_push_notification:*:*:*:*:*:wordpress:*:*
Vendors & Products Skywavesolutions
Skywavesolutions wp Firebase Push Notification

Mon, 07 Jul 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 04 Jul 2025 02:30:00 +0000

Type Values Removed Values Added
Description The WP Firebase Push Notification plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the wfpn_brodcast_notification_message() function. This makes it possible for unauthenticated attackers to send broadcast notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title WP Firebase Push Notification <= 1.2.0 - Cross-Site Request Forgery to Broadcast Notification
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Skywavesolutions Wp Firebase Push Notification
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:10:53.844Z

Reserved: 2025-06-09T14:22:14.918Z

Link: CVE-2025-5924

cve-icon Vulnrichment

Updated: 2025-07-07T14:40:57.499Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-04T03:15:21.240

Modified: 2025-07-10T15:13:40.917

Link: CVE-2025-5924

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T20:00:25Z

Weaknesses