cleantalk
Vulnerabilities and Security Researches

OneSignal – Web Push Notifications, CVE-2026-3155

CVE, Research URL

CVE-2026-3155

Home page URL

Security reports for OneSignal – Web Push Notifications

Application

OneSignal – Web Push Notifications

Published on
Apr 16, 2026
Research Description
The OneSignal – Web Push Notifications plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.8.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete OneSignal metadata for arbitrary posts.
Affected versions
max 3.8.1.
Status
vulnerable
Previous vulnerability researches
Add Any Extension to Pages (214b59c3-5411-4137-b1a7-3bba417e495b) , Jun 07, 2024
Add Any Extension to Pages (CVE-2023-50873) , Jun 07, 2024
New vulnerability
ThemeGrill Demo Importer (CVE-2026-40730) , Apr 17, 2026
Email Encoder – Protect Email Addresses and Phone Numbers (CVE-2026-2840) , Apr 17, 2026
WP Allowed Hosts (CVE-2026-0734) , Apr 17, 2026
Real Post Slider Lite (CVE-2026-0680) , Apr 17, 2026
WP Docs (CVE-2026-3878) , Apr 17, 2026