cleantalk
Vulnerabilities and Security Researches

OneSignal – Web Push Notifications, CVE-2026-3155

CVE, Research URL

CVE-2026-3155

Home page URL

Security reports for OneSignal – Web Push Notifications

Application

OneSignal – Web Push Notifications

Published on
Apr 16, 2026
Research Description
The OneSignal – Web Push Notifications plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.8.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete OneSignal metadata for arbitrary posts.
Affected versions
max 3.8.1.
Status
vulnerable
Previous vulnerability researches
Electric Studio Download Counter (CVE-2026-0741) , Apr 17, 2026
New vulnerability
WP Allowed Hosts (CVE-2026-0734) , Apr 17, 2026
Real Post Slider Lite (CVE-2026-0680) , Apr 17, 2026
WP Docs (CVE-2026-3878) , Apr 17, 2026
Accessibly – WordPress Website Accessibility (CVE-2026-3643) , Apr 17, 2026
Barcode Scanner and Inventory manager. POS (Point of Sale) – scan barcodes & create orders with barcode reader. (CVE-2026-4880) , Apr 17, 2026