Primary

Context

OneSignal Web Push Notifications WordPress Plugin Authorization Bypass Vulnerability Allowing Post Metadata Deletion

Vulnerability

Patched

A vulnerability exists in the OneSignal – Web Push Notifications plugin for WordPress, in versions through 3.8.0, allowing authorization bypass. The plugin fails to properly verify user authorization for certain actions, enabling authenticated attackers with subscriber-level access or higher to delete OneSignal metadata from arbitrary posts.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of OneSignal metadata from posts, which could disrupt notification delivery or post management.

Remediation

Users can update to version 3.8.1 or a newer patched version to address this vulnerability.

Added: Apr 16, 2026, 12:24 PM

Updated: Apr 16, 2026, 12:24 PM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

0.6

exploitability

7.5

remediation

7.7

relevance

6.0

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

0.6

exploitability

7.5

remediation

7.7

relevance

6.0

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OneSignal Web Push Notifications WordPress Plugin Authorization Bypass Vulnerability Allowing Post Metadata Deletion

Vulnerability

Impact

Remediation

Affected Products

OneSignal – Web Push Notifications

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating