CVE-2025-13950 identifies a missing authorization vulnerability (CWE-862) in the OneSignal – Web Push Notifications plugin for WordPress, affecting all versions up to and including 3.6.1. The root cause is the absence of capability checks and nonce verification when handling POST requests that modify plugin settings. Specifically, the plugin allows unauthenticated HTTP POST requests to overwrite critical configuration parameters such as the OneSignal App ID, REST API key, and notification behavior settings. This flaw enables attackers without any authentication to manipulate the plugin’s configuration, potentially redirecting notifications, disabling them, or injecting malicious parameters. The vulnerability has a CVSS 3.1 base score of 5.3 (medium severity), reflecting its ease of exploitation (network vector, no privileges required, no user interaction) but limited impact confined to integrity without affecting confidentiality or availability. No public exploits are currently known, but the vulnerability poses a risk to the integrity of push notification systems relying on this plugin. The issue is particularly relevant to WordPress sites using OneSignal for web push notifications, which are widely deployed across various sectors. Mitigation requires patching the plugin once updates are available or applying compensating controls such as restricting access to the plugin’s settings endpoints and monitoring for unauthorized POST requests.

The primary impact of CVE-2025-13950 is the unauthorized modification of OneSignal plugin settings, which compromises the integrity of web push notification configurations. Attackers can overwrite the OneSignal App ID and REST API key, potentially redirecting notifications to attacker-controlled endpoints or disabling notifications altogether. This can undermine communication channels with users, affecting marketing, alerting, or transactional notification workflows. While confidentiality and availability are not directly impacted, the integrity breach can lead to loss of trust, user confusion, or exploitation through malicious notifications if attackers inject harmful payloads. Organizations relying heavily on push notifications for customer engagement or critical alerts may experience operational disruption and reputational damage. The vulnerability’s ease of exploitation without authentication increases the risk of automated attacks targeting vulnerable WordPress sites globally.

1. Immediately update the OneSignal – Web Push Notifications plugin to a patched version once released by the vendor addressing the missing authorization checks. 2. Until a patch is available, restrict access to the WordPress admin area and plugin endpoints by implementing IP whitelisting or web application firewall (WAF) rules to block unauthorized POST requests targeting OneSignal settings URLs. 3. Monitor web server logs and WordPress audit logs for suspicious POST requests attempting to modify OneSignal plugin settings. 4. Employ security plugins that enforce capability checks and nonce verification on sensitive plugin actions as a temporary safeguard. 5. Educate site administrators to verify plugin configurations regularly to detect unauthorized changes early. 6. Consider disabling the OneSignal plugin temporarily if push notifications are not critical or if risk mitigation cannot be ensured. 7. Harden WordPress installations by enforcing strong authentication, limiting plugin installations to trusted sources, and maintaining regular backups to enable recovery from unauthorized changes.