We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

WordPress Security Bulletin: All push notification for WP plugin Vulnerability (CVE-2026-0816)

Nick Paliughi
On this page

Security Alert Summary

The All push notification for WP plugin contains a time-based SQL injection vulnerability in the delete_id parameter in all versions up to and including 1.5.3. Authenticated users with administrator-level access (or equivalent high privileges) can exploit this weakness to append additional SQL queries to existing database queries and extract sensitive information.

CVE Details

  • CVE ID: CVE-2026-0816
  • Affected component: All push notification for WP plugin for WordPress
  • Affected versions: All versions up to and including 1.5.3
  • Published: February 4, 2026 at 9:15:52 AM UTC
  • Last modified: February 4, 2026 at 4:33:44 PM UTC
  • CVSS v3.1: Base Score 4.9 — MEDIUM
    • Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
    • Attack Vector: NETWORK
    • Attack Complexity: LOW
    • Privileges Required: HIGH (requires authenticated, high-privilege account)
    • User Interaction: NONE
    • Scope: UNCHANGED
    • Impact — Confidentiality / Integrity / Availability: HIGH / NONE / NONE
  • Authentication / Privileges: Exploitation requires an authenticated user with administrator-level (high) privileges, per the CVE description and CVSS data.
  • CWE / Weakness: CWE-89 (SQL Injection)

Technical Details

This vulnerability is a time-based SQL injection in the plugin’s handling of the delete_id parameter. The CVE description reports insufficient escaping of user-supplied input and a lack of proper preparation (parameterization) of the existing SQL query. Because input is not safely handled, an attacker with the required privileges can append additional SQL statements to an existing query.

As described in the CVE entry, the weakness allows an authenticated attacker with administrator-level access (or equivalent) to craft input for delete_id that alters the executed SQL and enables extraction of sensitive data from the database via time-based techniques. The entry does not name specific functions or REST endpoints beyond the parameter, and does not specify a fixed version.

How This Could Impact Your Website

In a typical WordPress site with multiple users, this vulnerability could be abused by a compromised or malicious administrator account, or by a contractor or contributor who has been granted high privileges. For example:

  • A site administrator or high-privilege contractor could submit a specially crafted value for delete_id that causes the database to respond in a way that reveals sensitive records over a series of timed requests.
  • Extracted data could include user information stored in the database. Exposure of internal user email addresses or other sensitive fields increases the risk of targeted phishing or social engineering against staff or contributors.
  • The vulnerability’s CVSS impacts are limited to confidentiality (HIGH) and do not indicate integrity or availability impacts in the provided data, so claims of full site takeover are not supported by this entry.

If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.

Recommended Actions

  • Apply updates to the affected plugin as soon as a patched version is made available. (The CVE entry does not specify a fixed or patched version.)
  • Review and reduce unnecessary high-privilege accounts and user roles; limit administrator-level access to trusted personnel only.
  • Enforce strong passwords and enable two-factor authentication for editor- and administrator-level accounts.
  • Remove unused or unmaintained plugins from your site.
  • Monitor site and database activity for unusual queries or behavior that could indicate exploitation attempts.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
WordPress Security Bulletin: Magic Import Document Extractor Plugin Vulnerability (CVE-2025-15508)
Next Post
WordPress Security Bulletin: Xendit Payment Plugin Vulnerability (CVE-2025-14461)