CVE-2025-50028

2025-07-16 [email protected]
WordPress PHP Authentication Bypass

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 12:15 nvd
N/A

DescriptionNVD

Missing Authorization vulnerability in CodeSolz Ultimate Push Notifications ultimate-push-notifications allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Push Notifications: from n/a through <= 1.2.0.

AnalysisAI

CodeSolz Ultimate Push Notifications WordPress plugin through version 1.2.0 contains a missing authorization vulnerability allowing unauthenticated attackers to exploit incorrectly configured access control to bypass security levels and gain unauthorized access to sensitive functionality. The vulnerability is classified as CWE-862 (Missing Authorization) with low exploitation probability (EPSS 0.07%, 22nd percentile), indicating real-world exploitation risk is minimal despite the access control deficiency.

Technical ContextAI

This vulnerability stems from a failure to implement proper access control checks in the Ultimate Push Notifications WordPress plugin, falling under CWE-862 (Missing Authorization). The plugin fails to enforce authentication or role-based authorization on certain endpoints or functionality, allowing attackers to directly access features that should be restricted to authenticated administrators or specific user roles. The root cause involves either missing permission checks in WordPress hooks or REST API endpoints, or improper use of WordPress capability checks (nonces, user roles) that protect against privilege escalation.

Affected ProductsAI

CodeSolz Ultimate Push Notifications WordPress plugin versions from an unspecified baseline through 1.2.0 are affected. The plugin is distributed via WordPress.org plugin repository and identified in the Patchstack vulnerability database. Exact CPE mapping is unavailable from provided data, but affected installations can be identified through WordPress plugin management interfaces showing versions up to and including 1.2.0.

RemediationAI

Update CodeSolz Ultimate Push Notifications to a patched version released after 1.2.0; vendor patch details are not specified in provided data, but the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/ultimate-push-notifications/vulnerability/wordpress-ultimate-push-notifications-1-1-9-broken-access-control-vulnerability) should be consulted for the exact fixed version. As an interim workaround, administrators should restrict plugin functionality through WordPress role and capability restrictions, disable the plugin if unused, and monitor access logs for unauthorized access attempts to push notification endpoints. Ensure all WordPress core, themes, and complementary plugins are kept current to minimize attack surface.

Share

CVE-2025-50028 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy