CVE-2025-13950 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the OneSignal – Web Push Notifications plugin for WordPress, versions up to and including 3.6.1. The root cause is the absence of proper capability checks and nonce verification when handling POST requests that modify plugin settings. This flaw allows unauthenticated attackers to send crafted POST requests directly to the plugin’s settings endpoint, overwriting critical configuration parameters such as the OneSignal App ID, REST API key, and notification behavior settings. These parameters control how push notifications are sent and authenticated, so unauthorized modification can lead to malicious notifications being sent to subscribers or disruption of legitimate notification flows. The vulnerability does not expose sensitive data directly (no confidentiality impact) nor does it cause denial of service (no availability impact), but it compromises the integrity of the notification system. The attack vector is network-based, requiring no privileges or user interaction, making it straightforward to exploit. Although no public exploits have been reported, the vulnerability’s presence in a widely used WordPress plugin poses a significant risk to websites relying on OneSignal for push notifications. The lack of patch links suggests that a fix may not yet be available, emphasizing the need for immediate mitigation. The CVSS v3.1 base score is 5.3 (medium), reflecting the ease of exploitation balanced against the limited impact scope.

For European organizations, this vulnerability could lead to unauthorized alteration of web push notification configurations, enabling attackers to send fraudulent or malicious notifications to end users. This can damage brand reputation, facilitate phishing or social engineering attacks, and erode user trust. Organizations relying on push notifications for critical alerts or customer engagement may experience misinformation dissemination or loss of communication control. While the vulnerability does not directly expose sensitive data or cause service outages, the integrity compromise can have downstream effects on user security and organizational credibility. Sectors such as e-commerce, media, and public services that use OneSignal for customer or citizen notifications are particularly at risk. Additionally, attackers could leverage this vulnerability as a foothold for further attacks by injecting malicious payloads or redirecting users to malicious sites. The medium severity indicates a moderate risk that should not be ignored, especially given the ease of exploitation and lack of authentication requirements.

1. Immediately update the OneSignal – Web Push Notifications plugin to a patched version once available. Monitor vendor announcements for official fixes. 2. Until a patch is released, restrict access to the WordPress admin and plugin endpoints using web application firewalls (WAFs) or IP whitelisting to prevent unauthorized POST requests. 3. Implement additional server-side authorization checks via custom code or security plugins to enforce capability verification and nonce validation on POST requests targeting OneSignal settings. 4. Regularly audit plugin configurations and logs for unauthorized changes or suspicious activity related to push notification settings. 5. Educate site administrators about the risks of unauthorized configuration changes and encourage strong administrative credential policies. 6. Consider temporarily disabling the OneSignal plugin if push notifications are not critical, to eliminate the attack surface. 7. Employ Content Security Policy (CSP) and other browser security controls to mitigate the impact of malicious notifications if they occur. 8. Monitor threat intelligence feeds for emerging exploits targeting this vulnerability to respond promptly.