OneSignal – Web Push Notifications

3.1 / 10

LOW

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Description

The OneSignal – Web Push Notifications plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.8.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete OneSignal metadata for arbitrary posts.

Basic Information

ID CVE-2026-3155

Source Wordfence

Published Apr 16, 2026 at 11:21

Affected Product

Vendor onesignal

Product OneSignal – Web Push Notifications

Affected Versions onesignal OneSignal – Web Push Notifications 0

CWE Classification

CWE-862

References

{
    "lastseen": "",
    "description": "The OneSignal \u2013 Web Push Notifications plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.8.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete OneSignal metadata for arbitrary posts.",
    "published": "2026-04-16T11:21:22.226Z",
    "modified": "2026-04-16T11:21:22.226Z",
    "type": "cve",
    "title": "OneSignal \u2013 Web Push Notifications <= 3.8.0 - Missing Authorization to Authenticated (Subscriber+) Post Meta Deletion via 'post_id'",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/58337bbc-ba10-4876-b91c-78657afc67d1?source=cve\nhttps://plugins.trac.wordpress.org/changeset/3501190/onesignal-free-web-push-notifications",
    "id": "CVE-2026-3155",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "onesignal OneSignal \u2013 Web Push Notifications 0",
    "sourceHref": "",
    "cvss": {
        "score": 3.1,
        "severity": "LOW",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "OneSignal \u2013 Web Push Notifications",
    "version": "0",
    "vendor": "onesignal",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

OneSignal – Web Push Notifications <= 3.8.0 - Missing Authorization to Authenticated (Subscriber+) Post Meta Deletion via 'post_id'_CVE-2026-3155