{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-5924", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-09T14:22:14.918Z", "datePublished": "2025-07-04T01:44:05.301Z", "dateUpdated": "2026-04-08T17:10:53.844Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:10:53.844Z"}, "affected": [{"vendor": "skywaveinfo", "product": "WP Firebase Push Notification", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Firebase Push Notification plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the wfpn_brodcast_notification_message() function. This makes it possible for unauthenticated attackers to send broadcast notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "WP Firebase Push Notification <= 1.2.0 - Cross-Site Request Forgery to Broadcast Notification", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/996e0432-e795-4c01-8182-603a47f4f341?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-push-notification-firebase/trunk/wp_push_notification_firebase.php#L67"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "timeline": [{"time": "2025-07-03T12:22:35.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-07T14:38:38.842687Z", "id": "CVE-2025-5924", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-07T15:02:10.127Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5924", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-07T14:38:38.842687Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-07T14:40:57.499Z"}}], "cna": {"title": "WP Firebase Push Notification <= 1.2.0 - Cross-Site Request Forgery to Broadcast Notification", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "skywaveinfo", "product": "WP Firebase Push Notification", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.2.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-03T12:22:35.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/996e0432-e795-4c01-8182-603a47f4f341?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-push-notification-firebase/trunk/wp_push_notification_firebase.php#L67"}], "descriptions": [{"lang": "en", "value": "The WP Firebase Push Notification plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the wfpn_brodcast_notification_message() function. This makes it possible for unauthenticated attackers to send broadcast notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:10:53.844Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5924", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:10:53.844Z", "dateReserved": "2025-06-09T14:22:14.918Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-04T01:44:05.301Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:skywavesolutions:wp_firebase_push_notification:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "21A2B489-BF22-4335-AF88-50F671AEC235", "versionEndIncluding": "1.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Firebase Push Notification plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the wfpn_brodcast_notification_message() function. This makes it possible for unauthenticated attackers to send broadcast notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El complemento WP Firebase Push Notification para WordPress es vulnerable a Cross-Site Request Forgery en todas las versiones hasta la 1.2.0 incluida. Esto se debe a la falta o a una validaci\u00f3n incorrecta de nonce en la funci\u00f3n wfpn_brodcast_notification_message(). Esto permite que atacantes no autenticados env\u00eden notificaciones de difusi\u00f3n mediante una solicitud falsificada, siempre que puedan enga\u00f1ar al administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2025-5924", "lastModified": "2025-07-10T15:13:40.917", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-07-04T03:15:21.240", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/wp-push-notification-firebase/trunk/wp_push_notification_firebase.php#L67"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/996e0432-e795-4c01-8182-603a47f4f341?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T19:52:21.840167+00:00", "value": {"mitigation_remediation": ["Update the WP Firebase Push Notification plugin to the latest release (\u22651.2.1) where nonce validation is fixed.", "If an immediate update is not possible, disable or restrict the broadcast endpoint so that only users with administrator capabilities can trigger notifications.", "Deploy a web\u2011application firewall rule or custom server\u2011side check to block requests to the broadcast action that lack a valid nonce, providing an additional layer of CSRF protection."], "summary": {"action": "Update Plugin", "impact": "Cross\u2011Site Request Forgery enabling unauthorized broadcast notifications"}, "threat_synthesis": {"affected_systems": "All installations of the WP Firebase Push Notification plugin from skywaveinfo that use version 1.2.0 or earlier are affected. The plugin should be upgraded to a later release where nonce handling has been corrected.", "description_and_impact": "The WP Firebase Push Notification WordPress plugin contains a CSRF flaw in all releases up to and including version 1.2.0. Missing or incorrect nonce validation on the broadcast function permits an attacker to forge a request that, if a site administrator is tricked into clicking a link, will cause the site to send a notification to all users. The primary impact is the ability to distribute spam or phishing messages without the administrator\u2019s consent, which undermines the confidentiality and trust of the notification system. This weakness is classified as CWE-352.", "risk_and_exploitability": "The CVSS score of 4.3 reflects a moderate severity. The EPSS score of less than 1% indicates a low probability that this vulnerability will be actively exploited at this time, and it is not listed in CISA\u2019s KEV catalog. The attack vector is most likely limited to websites that allow an administrator to follow a malicious link, making the exploitation scenario plausible but not highly probable. Nonetheless, the potential damage from unsolicited broadcast messages warrants prompt attention."}}}}, "created": "2025-07-13T21:47:36.700553+00:00", "updated": "2026-04-21T20:00:25.896229+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}