Vulnerabilities and security researches foronesignal-free-web-push-notifications onesignal-free-web-push-notifications

Jun 06, 2024

CVE, Research URL: CVE-2019-15827
Home page URL: Security reports for OneSignal – Web Push Notifications
Application: OneSignal – Web Push Notifications
Date: Aug 30, 2019
Research Description: The onesignal-free-web-push-notifications plugin before 1.17.8 for WordPress has XSS via the subdomain parameter.
Affected versions: max 1.17.8.
Status: vulnerable

Dec 03, 2024

PSC, Research URL: PSC-2024-64545
Home page URL: Security reports for OneSignal – Web Push Notifications
Application: OneSignal – Web Push Notifications
Date: Aug 05, 2025
Research Description: OneSignal – Web Push Notifications – A powerful plugin designed to boost user engagement and retention by sending targeted push notifications. Whether you’re a startup or an enterprise, OneSignal ensures seamless delivery of notifications across platforms, driving re-engagement with your website even after users have left. With a simple setup process and advanced features like real-time analytics, A/B testing, and user segmentation, this plugin is trusted by millions worldwide. Its robust infrastructure and commitment to security make it a reliable choice for businesses of all sizes. Additionally, OneSignal has undergone rigorous security testing and received the prestigious Plugin Security Certification (PSC) from CleanTalk, ensuring a secure and dependable solution for managing push notifications.
Affected versions: Min 3.8.1, max 3.8.1.
Status: SAFE & CERTIFIED

Jan 10, 2026

CVE, Research URL: CVE-2025-13950
Home page URL: Security reports for OneSignal – Web Push Notifications
Application: OneSignal – Web Push Notifications
Date: Dec 15, 2025
Research Description: The OneSignal – Web Push Notifications plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the settings handling functionality in all versions up to, and including, 3.6.1. This is due to the plugin processing POST requests without verifying user capabilities or nonces. This makes it possible for unauthenticated attackers to overwrite the OneSignal App ID, REST API key, and notification behavior via direct POST requests.
Affected versions: max 3.6.2.
Status: vulnerable

Apr 17, 2026

CVE, Research URL: CVE-2026-3155
Home page URL: Security reports for OneSignal – Web Push Notifications
Application: OneSignal – Web Push Notifications
Date: Apr 16, 2026
Research Description: The OneSignal – Web Push Notifications plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.8.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete OneSignal metadata for arbitrary posts.
Affected versions: max 3.8.1.
Status: vulnerable