cleantalk
Vulnerabilities and Security Researches

All push notification for WP, CVE-2026-0816

CVE, Research URL

CVE-2026-0816

Home page URL

Security reports for All push notification for WP

Application

All push notification for WP

Published on
Feb 04, 2026
Research Description
The All push notification for WP plugin for WordPress is vulnerable to time-based SQL Injection via the 'delete_id' parameter in all versions up to, and including, 1.5.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected versions
max 1.5.3.
Status
vulnerable
Previous vulnerability researches
Simple GDPR Cookie Compliance (CVE-2026-24604) , Jan 27, 2026
GDPR Cookie Compliance (CCPA, DSGVO, Cookie Consent) (CVE-2019-25143) , Jun 07, 2024
GDPR Cookie Compliance (CCPA, DSGVO, Cookie Consent) (7d5b4ba83a5c6004460bf267fe534a359e1416b0) , Jun 07, 2024
GDPR Cookie Compliance (CCPA, DSGVO, Cookie Consent) (CVE-2023-4013) , Jun 07, 2024
GDPR Cookie Compliance (CCPA, DSGVO, Cookie Consent) (CVE-2025-1621) , Mar 14, 2025
New vulnerability
Taskbuilder – WordPress Project & Task Management plugin (CVE-2026-2289) , Apr 16, 2026
Taskbuilder – WordPress Project & Task Management plugin (CVE-2026-1639) , Apr 16, 2026
Taskbuilder – WordPress Project & Task Management plugin (CVE-2026-1640) , Apr 16, 2026
Tennis Court Bookings (CVE-2026-1044) , Apr 16, 2026
Custom Logo (CVE-2026-2499) , Apr 16, 2026