cleantalk
Vulnerabilities and Security Researches

WP Firebase Push Notification, CVE-2025-5924

CVE, Research URL

CVE-2025-5924

Home page URL

Security reports for WP Firebase Push Notification

Application

WP Firebase Push Notification

Published on
Jul 04, 2025
Research Description
The WP Firebase Push Notification plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the wfpn_brodcast_notification_message() function. This makes it possible for unauthenticated attackers to send broadcast notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions
Min -, max 1.2.0.
Status
vulnerable
Previous vulnerability researches
Related Products Manager for WooCommerce (CVE-2025-50045) , Jul 01, 2025
New vulnerability
Soumettre.fr (CVE-2025-4654) , Jul 05, 2025
Content Manager Light (CVE-2025-24771) , Jul 05, 2025
SB Breadcrumbs (CVE-2025-28978) , Jul 05, 2025
Portfolio & Image Gallery for WordPress | PowerFolio (CVE-2025-7046) , Jul 05, 2025
AI Engine (CVE-2025-6238) , Jul 05, 2025