OneSignal Web Push Notifications WordPress Plugin Missing Authorization Vulnerability

A vulnerability exists in the OneSignal – Web Push Notifications plugin for WordPress, in all versions through 3.6.1. The issue arises from a lack of capability checks in the settings management functionality, allowing unauthorized data modifications. The plugin processes POST requests without verifying user capabilities or nonces, enabling unauthenticated attackers to overwrite the OneSignal App ID, REST API key, and notification settings via direct POST requests.

Impact

Exploitation of this vulnerability allows for unauthorized modification of plugin settings, including the OneSignal App ID, REST API key, and notification behavior.

Reproduction

To reproduce this vulnerability, send a POST request to the WordPress site with the OneSignal – Web Push Notifications plugin active. Include the 'onesignal_app_id', 'onesignal_rest_api_key', and any notification behavior parameters you wish to change. The request can be sent without authentication, as the plugin does not verify user capabilities or nonces before processing the data.

Remediation

Users are advised to update the OneSignal – Web Push Notifications plugin to version 3.6.2 or later.