CVE-2025-5924 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the WP Firebase Push Notification plugin for WordPress, developed by skywaveinfo. This vulnerability affects all versions up to and including 1.2.0. The root cause is the absence or incorrect implementation of nonce validation in the function wfpn_brodcast_notification_message(). Nonces in WordPress are security tokens used to verify that requests originate from legitimate users and not from malicious third parties. Without proper nonce validation, an attacker can craft a malicious request that, when executed by an authenticated site administrator (e.g., by clicking a link), triggers the sending of broadcast notifications without the administrator's consent. This attack does not require the attacker to be authenticated themselves but relies on social engineering to induce the administrator to perform an action. The CVSS v3.1 base score is 4.3 (medium severity), reflecting that the attack vector is network-based, requires no privileges, but does require user interaction. The impact is limited to integrity, as attackers can send unauthorized notifications, potentially misleading users or causing reputational damage, but confidentiality and availability are not directly affected. There are no known exploits in the wild at the time of publication, and no patches have been linked yet. The vulnerability is categorized under CWE-352, which is a common web application security weakness related to CSRF attacks.

For European organizations using WordPress sites with the WP Firebase Push Notification plugin, this vulnerability could allow attackers to send unauthorized broadcast notifications. These notifications could be used to spread misinformation, phishing links, or malicious content to site visitors or subscribers, potentially damaging the organization's reputation and trustworthiness. Although the vulnerability does not directly compromise sensitive data or system availability, the integrity of communications is at risk. This could be particularly impactful for organizations in sectors such as media, e-commerce, government, and public services, where notification integrity is critical. Additionally, regulatory frameworks like GDPR emphasize the protection of user trust and data integrity, so misuse of notifications could lead to compliance scrutiny if it results in user harm or data misuse. The requirement for user interaction (administrator clicking a link) means that targeted social engineering campaigns could be employed against site administrators, increasing the risk for organizations with less security-aware staff.

To mitigate this vulnerability, European organizations should immediately audit their WordPress installations to identify the presence and version of the WP Firebase Push Notification plugin. If the plugin is in use and at or below version 1.2.0, organizations should consider disabling the plugin until a secure update is available. Administrators should be trained to recognize and avoid suspicious links or requests, especially those that could trigger administrative actions. Implementing multi-factor authentication (MFA) for WordPress admin accounts can reduce the risk of unauthorized access following social engineering. Additionally, organizations can deploy Web Application Firewalls (WAFs) with custom rules to detect and block suspicious POST requests targeting the vulnerable function. Monitoring administrative actions and notification logs for unusual activity can help detect exploitation attempts. Finally, organizations should follow skywaveinfo's updates closely and apply patches as soon as they are released.