cleantalk
Vulnerabilities and Security Researches

OneSignal – Web Push Notifications, CVE-2026-3155

CVE, Research URL

CVE-2026-3155

Home page URL

Security reports for OneSignal – Web Push Notifications

Application

OneSignal – Web Push Notifications

Published on
Apr 16, 2026
Research Description
The OneSignal – Web Push Notifications plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.8.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete OneSignal metadata for arbitrary posts.
Affected versions
max 3.8.1.
Status
vulnerable
Previous vulnerability researches
Advance Block Extend (CVE-2026-1646) , Apr 16, 2026
New vulnerability
Coachific Shortcode (CVE-2026-4005) , Apr 17, 2026
ThemeGrill Demo Importer (CVE-2026-40730) , Apr 17, 2026
Email Encoder – Protect Email Addresses and Phone Numbers (CVE-2026-2840) , Apr 17, 2026
WP Allowed Hosts (CVE-2026-0734) , Apr 17, 2026
Real Post Slider Lite (CVE-2026-0680) , Apr 17, 2026