Authorization Bypass in OneSignal Web Push Notifications Plugin for WordPress
CVE-2026-3155

3.1LOW

Key Information:

Vendor: WordPress
Status: Onesignal – Web Push Notifications
Vendor: CVE Published:; 16 April 2026

What is CVE-2026-3155?

The OneSignal – Web Push Notifications plugin for WordPress is affected by an authorization bypass vulnerability found in versions up to and including 3.8.0. This flaw occurs because the plugin fails to adequately verify user permissions, enabling authenticated users with subscriber-level privileges and higher to delete OneSignal metadata linked to any posts. This can pose significant risks to the integrity of content and user data within WordPress sites utilizing this plugin.

Affected Version(s)

OneSignal – Web Push Notifications 0 <= 3.8.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3501190/ones...

CVSS V3.1

Score:

3.1

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 16, 2026
Vulnerability Reserved
Feb 24, 2026

Credit

Muhammad Sharief

CVE-2026-3155 Data

JSON