Description
The All push notification for WP plugin for WordPress is vulnerable to time-based SQL Injection via the 'delete_id' parameter in all versions up to, and including, 1.5.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2026-02-04
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL injection enabling data extraction by privileged users
Action: Update Plugin
AI Analysis

Impact

The All push notification for WP plugin allows an authenticated administrator or higher to inject arbitrary SQL through the delete_id parameter. By appending malicious statements to the existing query, an attacker can read sensitive data stored in the WordPress database. This injection flaw falls under CWE-89 and can compromise the confidentiality of all information managed by the site.

Affected Systems

The vulnerability exists in all versions of the All push notification for WP plugin up to and including 1.5.3. The product is developed by gtlwpdev and distributed for WordPress sites.

Risk and Exploitability

The CVSS score is 4.9, indicating a medium severity risk. The EPSS score of less than 1 % suggests that active exploitation is unlikely at present, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated administrator-level access; an attacker would submit a crafted delete_id value via the plugin’s deletion interface to inject additional SQL clauses. The resulting data exposure could be limited to the administrator’s privileges but could still reveal database contents. The attack vector is inferred to be authentic supplied requests from an administrator, as the description specifies that only users with enough privileges can exploit the flaw.

Generated by OpenCVE AI on April 15, 2026 at 17:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the All push notification for WP plugin to the latest available version that removes the SQL injection flaw.
  • If an update cannot be applied immediately, restrict administrative access to trusted users and enforce two‑factor authentication to reduce the risk of credential compromise.
  • As a temporary workaround, edit the plugin’s deletion handler to validate the delete_id parameter strictly or disable the deletion functionality until a patch is applied.

Generated by OpenCVE AI on April 15, 2026 at 17:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 04 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description The All push notification for WP plugin for WordPress is vulnerable to time-based SQL Injection via the 'delete_id' parameter in all versions up to, and including, 1.5.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title All push notification for WP <= 1.5.3 - Authenticated (Administrator+) SQL Injection via 'delete_id' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:34:41.002Z

Reserved: 2026-01-09T15:42:56.302Z

Link: CVE-2026-0816

cve-icon Vulnrichment

Updated: 2026-02-04T15:13:36.323Z

cve-icon NVD

Status : Deferred

Published: 2026-02-04T09:15:52.810

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0816

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:00:15Z

Weaknesses