CVE-2025-5924 is a security vulnerability classified as CWE-352 (Cross-Site Request Forgery) affecting the WP Firebase Push Notification plugin for WordPress, specifically all versions up to and including 1.2.0. The vulnerability stems from the absence or improper implementation of nonce validation in the wfpn_brodcast_notification_message() function. Nonces are security tokens used to verify that requests originate from legitimate users and not from malicious third parties. Without proper nonce validation, an attacker can craft a malicious request that, when executed by an authenticated site administrator (e.g., by clicking a link), triggers the sending of unauthorized broadcast notifications. This attack vector does not require the attacker to be authenticated but does require user interaction from an administrator. The vulnerability impacts the integrity of the notification system by allowing forged messages to be broadcast, potentially misleading users or causing reputational damage. However, it does not compromise confidentiality or availability of the system. The CVSS v3.1 base score is 4.3, indicating medium severity, with attack vector as network, low attack complexity, no privileges required, user interaction required, and impact limited to integrity. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability was reserved in June 2025 and published in July 2025 by Wordfence.

The primary impact of CVE-2025-5924 is on the integrity of the WP Firebase Push Notification system. An attacker can send unauthorized broadcast notifications by exploiting the CSRF vulnerability, potentially misleading users with false or malicious messages. This can damage organizational reputation, cause misinformation, or disrupt communication channels. Since the attack requires an administrator to perform an action (click a link), the risk is somewhat mitigated by the need for user interaction. There is no direct impact on confidentiality or availability, so data breaches or service outages are unlikely. However, organizations relying heavily on push notifications for critical alerts or customer engagement may experience operational disruptions or loss of user trust. The lack of authentication requirement for the attacker increases the threat surface, but the necessity of administrator interaction limits large-scale automated exploitation. Overall, the impact is moderate but significant enough to warrant timely remediation.

To mitigate CVE-2025-5924, organizations should immediately update the WP Firebase Push Notification plugin to a version that includes proper nonce validation once available. In the absence of an official patch, administrators can implement manual nonce checks in the wfpn_brodcast_notification_message() function to validate requests originate from legitimate sources. Additionally, educating site administrators about the risks of clicking untrusted links can reduce the likelihood of exploitation. Employing web application firewalls (WAFs) with rules to detect and block suspicious CSRF attempts targeting the plugin's endpoints can provide an additional layer of defense. Regularly auditing plugin permissions and limiting administrator access to trusted personnel will also reduce risk. Monitoring notification logs for unusual broadcast activity can help detect exploitation attempts early. Finally, consider disabling or restricting the plugin's broadcast notification feature if it is not essential to reduce the attack surface.