What the vulnerability does
01Description
The OneSignal – Web Push Notifications plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the settings handling functionality in all versions up to, and including, 3.6.1. This is due to the plugin processing POST requests without verifying user capabilities or nonces. This makes it possible for unauthenticated attackers to overwrite the OneSignal App ID, REST API key, and notification behavior via direct POST requests.
Explanation of Vulnerability in Simple Terms
02Summary
OneSignal Web Push Notifications versions 3.6.1 and earlier lack proper authorization checks, allowing an unauthenticated attacker to modify push notification settings or content over the network. No user interaction is required. The vulnerability affects the integrity of notifications but not their confidentiality or system availability.
What an attacker can do
03Attacker Capabilities
Modify push notification settings or content without authentication.
Potential impact on your site
04Site Impact
Attackers can alter push notifications sent to your users, potentially spreading misinformation or malicious links.
Conditions required to exploit
05Prerequisites
Network access to the OneSignal service; no authentication or user interaction required.
Key dates
06Disclosure timeline
December 15, 2025
CVE published
April 8, 2026
Record updated