Description
Missing Authorization vulnerability in Gravitec.net - Web Push Notifications Gravitec.net – Web Push Notifications gravitec-net-web-push-notifications allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gravitec.net – Web Push Notifications: from n/a through <= 2.9.17.
Published: 2025-12-09
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Gravitec.net – Web Push Notifications for WordPress manifests as a missing authorization check that allows attackers to bypass intended role restrictions. This broken access control can lead to unauthorized modification of push notification data, potentially exposing confidential information or disrupting content delivery. The weakness is identified as CWE‑862, representing insufficient enforcement of authorization boundaries, which compromises the integrity of the plugin’s operations.

Affected Systems

The affected product is the Gravitec.net – Web Push Notifications WordPress plugin, versions from the initial release through 2.9.17. Any WordPress site running these versions is within the attack surface.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate impact, while the EPSS score of less than 1% points to a very low exploitation probability. The vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation has been documented. Based on the description, it is inferred that an attacker could exploit this flaw via unauthenticated or low‑privilege HTTP requests to the plugin’s endpoints, provided they can reach the WordPress installation. While a full system compromise is unlikely, unauthorized changes to push notification registrations or data are possible.

Generated by OpenCVE AI on April 29, 2026 at 19:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Gravitec.net – Web Push Notifications plugin to version 2.9.18 or later to apply the vendor‑provided fix.
  • If an upgrade is not immediately possible, disable or remove the plugin from the WordPress site to eliminate the exposed surface.
  • Ensure that only users with appropriate roles can manage push notifications, verifying the plugin’s access checks are enforced correctly.
  • Monitor the WordPress environment for unauthorized access attempts targeting the plugin’s endpoints, and apply security hardening measures such as restricting plugin URLs to authenticated users only.

Generated by OpenCVE AI on April 29, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Gravitec.net - Web Push Notifications Gravitec.net &#8211; Web Push Notifications gravitec-net-web-push-notifications allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gravitec.net &#8211; Web Push Notifications: from n/a through <= 2.9.17. Missing Authorization vulnerability in Gravitec.net - Web Push Notifications Gravitec.net – Web Push Notifications gravitec-net-web-push-notifications allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gravitec.net – Web Push Notifications: from n/a through <= 2.9.17.

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Wed, 10 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Dec 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Gravitec.net
Gravitec.net web Push Notifications
Wordpress
Wordpress wordpress
Vendors & Products Gravitec.net
Gravitec.net web Push Notifications
Wordpress
Wordpress wordpress

Tue, 09 Dec 2025 15:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Gravitec.net - Web Push Notifications Gravitec.net &#8211; Web Push Notifications gravitec-net-web-push-notifications allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gravitec.net &#8211; Web Push Notifications: from n/a through <= 2.9.17.
Title WordPress Gravitec.net – Web Push Notifications plugin <= 2.9.17 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Gravitec.net Web Push Notifications
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:56:15.758Z

Reserved: 2025-10-24T07:50:53.684Z

Link: CVE-2025-62869

cve-icon Vulnrichment

Updated: 2025-12-10T21:50:20.259Z

cve-icon NVD

Status : Deferred

Published: 2025-12-09T16:18:03.943

Modified: 2026-04-28T19:34:59.190

Link: CVE-2025-62869

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T19:30:18Z

Weaknesses