WordPress Plugin Vulnerabilities

Gravitec.net – Web Push Notifications < 2.9.18 - Missing Authorization

Description

The Gravitec.net – Web Push Notifications plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.9.17. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

Affects Plugins

Plugin icon
gravitec-net-web-push-notifications
Fixed in 2.9.18

References

CVE
CVE-2025-62869
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/5212567c-6134-4151-9fc6-eb4797ed0450

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Nabil Irawan
Verified
No
WPVDB ID
270e6e10-138f-4f99-95cb-42fad9c88312

Timeline

Publicly Published
2025-12-06 (about 3 months ago)
Added
2025-12-10 (about 2 months ago)
Last Updated
2026-01-06 (about 2 months ago)

Other

Published
Title
Published
2024-11-18
Title
Google for WooCommerce < 2.8.7 - Information Disclosure via Publicly Accessible PHP Info File
Published
2025-05-22
Title
Booking and Rental Manager < 2.3.9 - Missing Authorization
Published
2025-01-06
Title
Croma Music < 3.6.1 - Authenticated (Subscriber+) Arbitrary Options Update in ironMusic_ajax
Published
2025-12-10
Title
Coder for Elementor <= 1.0.13 - Missing Authorization
Published
2026-03-03
Title
Seraphinite Accelerator < 2.28.15 - Missing Authorization to Authenticated (Subscriber+) Log Clearing