{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3155", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-24T20:34:14.733Z", "datePublished": "2026-04-16T11:21:22.226Z", "dateUpdated": "2026-04-16T14:00:56.681Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-16T11:21:22.226Z"}, "affected": [{"vendor": "onesignal", "product": "OneSignal \u2013 Web Push Notifications", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.8.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The OneSignal \u2013 Web Push Notifications plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.8.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete OneSignal metadata for arbitrary posts."}], "title": "OneSignal \u2013 Web Push Notifications <= 3.8.0 - Missing Authorization to Authenticated (Subscriber+) Post Meta Deletion via 'post_id'", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/58337bbc-ba10-4876-b91c-78657afc67d1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3501190/onesignal-free-web-push-notifications"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 3.1, "baseSeverity": "LOW"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Sharief"}], "timeline": [{"time": "2026-02-24T20:50:42.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-15T21:51:29.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T13:57:39.644438Z", "id": "CVE-2026-3155", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T14:00:56.681Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The OneSignal \u2013 Web Push Notifications plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.8.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete OneSignal metadata for arbitrary posts."}], "id": "CVE-2026-3155", "lastModified": "2026-04-22T20:22:50.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-16T12:16:07.507", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3501190/onesignal-free-web-push-notifications"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/58337bbc-ba10-4876-b91c-78657afc67d1?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.8.0]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "matching"}]}, "original": {"product": "OneSignal \u2013 Web Push Notifications", "source": "cna", "vendor": "onesignal"}, "product": "onesignal-free-web-push-notifications", "vendor": "onesignal"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-17T03:24:55.621655+00:00", "value": {"mitigation_remediation": ["Update the OneSignal \u2013 Web Push Notifications plugin to the latest version (3.8.1 or higher) to remove the authorization flaw", "If an update cannot be applied immediately, limit user roles to restrict subscriber-level access or remove these users from the site", "Disable or uninstall the plugin entirely if push notifications are not required"], "summary": {"action": "Apply Patch", "impact": "Authorization bypass allowing authenticated users to delete OneSignal metadata"}, "threat_synthesis": {"affected_systems": "WordPress sites that use the OneSignal \u2013 Web Push Notifications plugin version 3.8.0 or earlier are impacted. Users should verify the active version in the plugin management screen and consider the scope if the site hosts multiple posts with push notification metadata.", "description_and_impact": "The OneSignal \u2013 Web Push Notifications plugin for WordPress is affected by an authorization flaw in all releases up to and including 3.8.0. The flaw lies in the lack of proper access checks when processing a delete action on post metadata, which means that any authenticated user with subscriber-level privileges or higher can send a request to delete metadata for any post ID. While the deletion of this data does not directly expose content, it removes critical configuration that governs notification delivery for those posts, potentially rendering push notifications ineffective or incorrectly configured. The attack can be used to disrupt user engagement or create confusion over site notifications. Depending on the string of integrated workflows, the loss of metadata could be considered an impact on integrity and availability of the notification system.", "risk_and_exploitability": "The vulnerability has a CVSS score of 3.1, placing it in the low severity range. EPSS is currently not available and the vulnerability is not listed in the CISA KEV catalog. Because an attacker only needs valid user credentials with subscriber-level access, the attack vector is internal, i.e., authentication-based. Exploitation does not require remote code execution or elevated privileges beyond the user\u2019s existing role; however, once authenticated, the attacker can delete or modify metadata for any post, which may degrade site functionality and user experience. No public exploits are known, but the lack of proper authorization checks makes mitigation essential."}}}}, "created": "2026-04-16T18:58:36.022407+00:00", "updated": "2026-04-17T03:30:08.594693+00:00", "vendors": ["onesignal", "onesignal$PRODUCT$onesignal-free-web-push-notifications", "wordpress", "wordpress$PRODUCT$wordpress"]}