Skip to main content

Gravitec.net Web Push Notifications CVE-2025-62869

MEDIUM
Missing Authorization (CWE-862)
2025-12-09 audit@patchstack.com
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Apr 28, 2026 - 20:00 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in Gravitec.net - Web Push Notifications Gravitec.net - Web Push Notifications gravitec-net-web-push-notifications allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gravitec.net - Web Push Notifications: from n/a through <= 2.9.17.

AnalysisAI

Broken access control in the Gravitec.net Web Push Notifications WordPress plugin versions 2.9.17 and earlier allows authenticated users to modify push notification settings and content without proper authorization checks, enabling privilege escalation or manipulation of notifications intended for administrator-only configuration. The vulnerability requires valid WordPress user credentials but does not enforce role-based access controls on sensitive endpoints, granting low-privileged users unintended modification capabilities.

Technical ContextAI

The Gravitec.net Web Push Notifications plugin is a WordPress extension that manages web-based push notification delivery. The vulnerability stems from CWE-862 (Missing Authorization), indicating that security-critical functions lack proper access control validation. Rather than checking whether an authenticated user holds the required admin role or capability before processing requests to modify notification settings, the plugin processes requests from any authenticated user. This is a common pattern in WordPress plugin vulnerabilities where developers implement authentication (PR:L in CVSS vector) but fail to layer authorization checks on top of it, confusing user identity with user privilege.

Affected ProductsAI

Gravitec.net Web Push Notifications WordPress plugin versions from initial release through 2.9.17. The plugin is distributed via the WordPress plugin repository and third-party marketplaces. CPE data not explicitly provided in input; affected installations are identifiable via WordPress plugin version checks (plugin slug: gravitec-net-web-push-notifications).

RemediationAI

Upgrade to the patched version released after 2.9.17 - consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/gravitec-net-web-push-notifications for the exact fix version and release date. Until patching is possible, disable the plugin entirely or restrict WordPress user registrations to administrators only, reducing the pool of users who can exploit the vulnerability. A compensating control is to implement Web Application Firewall rules that block POST requests to the plugin's settings endpoints from non-admin users, though this requires identifying the specific endpoint names in the plugin code and maintaining rules across updates.

Share

CVE-2025-62869 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy