Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
3.1
OneSignal WordPress Plugin Allows Attackers to Delete Notifications
CVE-2026-3155
Summary
A vulnerability in the OneSignal plugin for WordPress allows attackers with subscriber-level access or higher to delete important notification settings. This affects versions of the plugin up to 3.8.0 and can be fixed by updating to a newer version. We recommend updating the plugin as soon as possible to prevent potential issues.
Original title
The OneSignal – Web Push Notifications plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.8.0. This is due to the plugin not properly verifying that a us...
Original description
The OneSignal – Web Push Notifications plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.8.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete OneSignal metadata for arbitrary posts.
nvd CVSS3.1
3.1
Vulnerability type
CWE-862
Missing Authorization
Published: 16 Apr 2026 · Updated: 17 Apr 2026 · First seen: 16 Apr 2026