CVE-2025-5924
BaseFortify
Publication date: 2025-07-04
Last updated on: 2025-07-10
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| skywavesolutions | wp_firebase_push_notification | to 1.2.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-5924 is a vulnerability in the WP Firebase Push Notification WordPress plugin (up to version 1.2.0) where the plugin lacks proper nonce validation in the wfpn_brodcast_notification_message() function. This missing or incorrect validation allows unauthenticated attackers to perform Cross-Site Request Forgery (CSRF) attacks by tricking a site administrator into clicking a malicious link, which then causes the site to send broadcast push notifications without authorization. [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers to send unauthorized broadcast push notifications to all users of the WordPress site using Firebase Cloud Messaging. This could be used to spread misinformation, phishing attempts, or spam notifications. Additionally, the plugin disables SSL verification when communicating with Firebase, which could expose notification data to interception or man-in-the-middle attacks, further compromising security. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized or unexpected POST requests to the WordPress admin endpoint that triggers the wfpn_brodcast_notification_message() function. Since the plugin sends push notifications via Firebase Cloud Messaging using HTTP POST requests, you can look for unusual POST requests to the plugin's broadcast notification URL. Commands to detect such activity could include using web server logs or network monitoring tools to filter POST requests to the relevant admin URL. For example, using grep on Apache logs: `grep 'POST.*wp-admin/admin.php.*wfpn_brodcast_notification_message' /var/log/apache2/access.log` or using a network packet capture tool like tcpdump to filter HTTP POST requests to the server. Additionally, checking WordPress logs or plugin-specific logs (if available) for broadcast notification actions may help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the WP Firebase Push Notification plugin to a version later than 1.2.0 where the nonce validation issue is fixed. If an update is not yet available, restrict access to the plugin's broadcast notification functionality by limiting admin access and disabling the plugin if possible. Additionally, monitor and block suspicious POST requests to the broadcast notification endpoint. Implementing Web Application Firewall (WAF) rules to detect and block forged requests targeting this plugin can also help. Finally, ensure that SSL verification is enabled for outgoing requests to Firebase to prevent man-in-the-middle attacks. [1]