Gravitec.net Web Push Notifications CVE-2025-62869
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in Gravitec.net - Web Push Notifications Gravitec.net - Web Push Notifications gravitec-net-web-push-notifications allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gravitec.net - Web Push Notifications: from n/a through <= 2.9.17.
AnalysisAI
Broken access control in the Gravitec.net Web Push Notifications WordPress plugin versions 2.9.17 and earlier allows authenticated users to modify push notification settings and content without proper authorization checks, enabling privilege escalation or manipulation of notifications intended for administrator-only configuration. The vulnerability requires valid WordPress user credentials but does not enforce role-based access controls on sensitive endpoints, granting low-privileged users unintended modification capabilities.
Technical ContextAI
The Gravitec.net Web Push Notifications plugin is a WordPress extension that manages web-based push notification delivery. The vulnerability stems from CWE-862 (Missing Authorization), indicating that security-critical functions lack proper access control validation. Rather than checking whether an authenticated user holds the required admin role or capability before processing requests to modify notification settings, the plugin processes requests from any authenticated user. This is a common pattern in WordPress plugin vulnerabilities where developers implement authentication (PR:L in CVSS vector) but fail to layer authorization checks on top of it, confusing user identity with user privilege.
Affected ProductsAI
Gravitec.net Web Push Notifications WordPress plugin versions from initial release through 2.9.17. The plugin is distributed via the WordPress plugin repository and third-party marketplaces. CPE data not explicitly provided in input; affected installations are identifiable via WordPress plugin version checks (plugin slug: gravitec-net-web-push-notifications).
RemediationAI
Upgrade to the patched version released after 2.9.17 - consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/gravitec-net-web-push-notifications for the exact fix version and release date. Until patching is possible, disable the plugin entirely or restrict WordPress user registrations to administrators only, reducing the pool of users who can exploit the vulnerability. A compensating control is to implement Web Application Firewall rules that block POST requests to the plugin's settings endpoints from non-admin users, though this requires identifying the specific endpoint names in the plugin code and maintaining rules across updates.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today