The OneSignal – Web Push Notifications plugin for WordPress is affected by an authorization flaw in all releases up to and including 3.8.0. The flaw lies in the lack of proper access checks when processing a delete action on post metadata, which means that any authenticated user with subscriber-level privileges or higher can send a request to delete metadata for any post ID. While the deletion of this data does not directly expose content, it removes critical configuration that governs notification delivery for those posts, potentially rendering push notifications ineffective or incorrectly configured. The attack can be used to disrupt user engagement or create confusion over site notifications. Depending on the string of integrated workflows, the loss of metadata could be considered an impact on integrity and availability of the notification system.

WordPress sites that use the OneSignal – Web Push Notifications plugin version 3.8.0 or earlier are impacted. Users should verify the active version in the plugin management screen and consider the scope if the site hosts multiple posts with push notification metadata.

The vulnerability has a CVSS score of 3.1, placing it in the low severity range. EPSS is currently not available and the vulnerability is not listed in the CISA KEV catalog. Because an attacker only needs valid user credentials with subscriber-level access, the attack vector is internal, i.e., authentication-based. Exploitation does not require remote code execution or elevated privileges beyond the user’s existing role; however, once authenticated, the attacker can delete or modify metadata for any post, which may degrade site functionality and user experience. No public exploits are known, but the lack of proper authorization checks makes mitigation essential.