cleantalk
Vulnerabilities and Security Researches

OneSignal – Web Push Notifications, CVE-2025-13950

CVE, Research URL

CVE-2025-13950

Home page URL

Security reports for OneSignal – Web Push Notifications

Application

OneSignal – Web Push Notifications

Published on
Dec 15, 2025
Research Description
The OneSignal – Web Push Notifications plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the settings handling functionality in all versions up to, and including, 3.6.1. This is due to the plugin processing POST requests without verifying user capabilities or nonces. This makes it possible for unauthenticated attackers to overwrite the OneSignal App ID, REST API key, and notification behavior via direct POST requests.
Affected versions
max 3.6.2.
Status
vulnerable
Previous vulnerability researches
OneSignal – Web Push Notifications , Dec 03, 2024
OneSignal – Web Push Notifications (CVE-2026-3155) , Apr 17, 2026
OneSignal – Web Push Notifications (CVE-2025-13950) , Jan 10, 2026
OneSignal – Web Push Notifications (CVE-2019-15827) , Jun 06, 2024
New vulnerability
VI: Include Post By (CVE-2026-5717) , Apr 17, 2026
Responsive Accordion Slider (CVE-2026-0635) , Apr 17, 2026
Petje.af (CVE-2026-4002) , Apr 17, 2026
LinkedIn SC (CVE-2026-0812) , Apr 17, 2026
Coachific Shortcode (CVE-2026-4005) , Apr 17, 2026