CVE-2025-13950

Vulnerability

Overview

The OneSignal – Web Push Notifications plugin for WordPress, in all versions up to and including 3.6.1, contains a missing capability check in its settings handling functionality. The plugin processes POST requests to save configuration without verifying user capabilities or nonces, as shown in the code changes from the fix [1]. This means any unauthenticated visitor can trigger the settings update endpoint.

Exploitation

An attacker can exploit this by sending a direct POST request to the WordPress admin area where the plugin's settings are handled. The request can include parameters such as onesignal_app_id, onesignal_rest_api_key, and other notification behavior settings. No authentication or prior knowledge is required beyond the endpoint URL. The plugin's code prior to the fix did not check for current_user_can() or nonce validation, allowing the settings to be overwritten without any privilege check.

Impact

Successful exploitation allows an attacker to overwrite the OneSignal App ID and REST API key, effectively hijacking the push notification service for the site. This could enable the attacker to send arbitrary push notifications to all subscribed users, potentially containing malicious links or phishing content. Additionally, altering notification behavior could disrupt legitimate notifications or cause denial of service.

Mitigation

The vulnerability has been addressed in a subsequent release. The fix, visible in the referenced pull request [1], adds proper capability checks (e.g., current_user_can('manage_options')) and nonce verification to the settings save handler. Users are strongly advised to update to the latest version of the plugin to protect their sites.