CVE-2025-13950
📋 TL;DR
This vulnerability allows unauthenticated attackers to modify OneSignal plugin settings in WordPress, including the App ID and API keys. Attackers can change notification behavior or disrupt push notification functionality. All WordPress sites using OneSignal plugin versions up to 3.6.1 are affected.
💻 Affected Systems
- OneSignal - Web Push Notifications WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could redirect push notifications to malicious servers, intercept sensitive user data, or completely disable notification functionality for the site.
Likely Case
Attackers modify notification settings to display malicious content, disrupt legitimate notifications, or cause service degradation.
If Mitigated
With proper access controls and monitoring, impact is limited to temporary service disruption that can be quickly detected and reverted.
🎯 Exploit Status
Exploitation requires only sending crafted POST requests to vulnerable endpoints without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.6.2
Vendor Advisory: https://github.com/OneSignal/OneSignal-WordPress-Plugin/pull/387/files
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find OneSignal plugin. 4. Click 'Update Now' or manually update to version 3.6.2+. 5. Verify settings are correct after update.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the OneSignal plugin until patched to prevent exploitation
wp plugin deactivate onesignal-free-web-push-notifications
Web Application Firewall Rule
allBlock POST requests to OneSignal plugin endpoints
Add WAF rule: Block POST requests containing '/onesignal' in URL path
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach WordPress admin endpoints
- Enable detailed logging of all POST requests to WordPress and monitor for unauthorized changes to plugin settings
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > OneSignal version. If version is 3.6.1 or lower, you are vulnerable.Check Version:
wp plugin get onesignal-free-web-push-notifications --field=versionVerify Fix Applied:
After updating, verify version shows 3.6.2 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin.php?page=onesignal-push
- Unauthorized modifications to onesignal_settings in database
Network Indicators:
- POST requests to OneSignal endpoints from unexpected IP addresses
- Unusual traffic patterns to plugin-specific URLs
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-admin/admin.php" AND query_string="page=onesignal-push") AND http_method="POST"