CVE-2025-5924

Name of the Vulnerable Software and Affected Versions: WP Firebase Push Notification plugin for WordPress versions prior to 1.2.1

Description: The issue is due to missing or incorrect nonce validation on the wfpn brodcast notification message() function, making it possible for unauthenticated attackers to send broadcast notifications via a forged request. This can be achieved if the attackers can trick a site administrator into performing an action, such as clicking on a link.

Recommendations: For versions up to and including 1.2.0, consider disabling the wfpn brodcast notification message() function until a patch is available to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.