CVE-2026-3155
Authorization Bypass in OneSignal WordPress Plugin Allows Metadata Deletion
Publication date: 2026-04-16
Last updated on: 2026-04-16
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| onesignal | web_push_notifications | to 3.8.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the OneSignal β Web Push Notifications plugin for WordPress, specifically in versions up to and including 3.8.0. It is an authorization bypass issue caused by the plugin failing to properly verify whether a user is authorized to perform certain actions.
As a result, authenticated users who have subscriber-level access or higher can exploit this flaw to delete OneSignal metadata associated with arbitrary posts.
How can this vulnerability impact me? :
This vulnerability allows attackers with subscriber-level access or above to delete metadata related to OneSignal notifications for any post. While it does not allow full control or data disclosure, it can disrupt the functionality of web push notifications by removing important metadata.
The impact is limited to integrity (modification/deletion) of notification metadata, with no direct impact on confidentiality or availability.