cleantalk
Vulnerabilities and Security Researches

Notify Odoo, CVE-2026-8425

CVE, Research URL

CVE-2026-8425

Home page URL

Security reports for Notify Odoo

Application

Notify Odoo

Published on
May 15, 2026
Research Description
The Notify Odoo plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the _updateSettings function. This makes it possible for unauthenticated attackers to change the Notify Odoo URL to an attacker-controlled URL and modify notification, tracking image, and allowed IP address settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions
max 1.0.2.
Status
vulnerable
Previous vulnerability researches
WPGraphQL (CVE-2019-9880) , Jun 06, 2024
WPGraphQL (CVE-2023-23684) , Jun 06, 2024
WPGraphQL (CVE-2019-9881) , Jun 06, 2024
WPGraphQL (CVE-2019-25060) , Jun 06, 2024
WPGraphQL (CVE-2019-9879) , Jun 06, 2024
New vulnerability
Notify Odoo (CVE-2026-8425) , May 17, 2026
WPGraphQL (CVE-2021-47959) , May 16, 2026
Smartcat Integration for WPML (CVE-2026-4683) , May 16, 2026
JoomSport – for Sports: Team & League, Football, Hockey & more (CVE-2026-6929) , May 16, 2026
Woocommerce Support System (CVE-2025-14033) , May 16, 2026