OneSignal – Web Push Notifications < 3.8.1 – Missing Authorization to Authenticated (Subscriber+) Post Meta Deletion via 'post_id' | CVE 2026-3155 | Plugin Vulnerabilities

Description

The OneSignal – Web Push Notifications plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.8.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete OneSignal metadata for arbitrary posts.

Affects Plugins

onesignal-free-web-push-notifications

Fixed in 3.8.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/58337bbc-ba10-4876-b91c-78657afc67d1

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Muhammad Sharief

Verified

No

WPVDB ID

1e6c47a6-05f2-460c-8874-65bd05d742d0

Timeline

Publicly Published

2026-04-15 (about 2 months ago)

Added

2026-04-15 (about 2 months ago)

Last Updated

2026-04-16 (about 2 months ago)

Other

Published

Title

Published

2024-01-02

Title

Product Expiry for WooCommerce < 2.6 - Subscriber+ Settings Update

Published

2025-04-01

Title

Review Manager <= 2.5.0 - Missing Authorization

Published

2025-09-17

Title

Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages < 3.4.4 - Missing Authorization to Authenticated (Contributor+) Arbitrary Plugin Installation

Published

2024-06-20

Title

WishList Member X < 3.26.7 - Missing Authorization to Information Disclosure

Published

2024-02-20

Title

WooCommerce Google Sheet Connector < 1.3.12 - Missing Authorization