PT-2026-41280 · WordPress · Notify Odoo

·

CVE-2026-8425

·

Published

2026-05-15

·

Updated

2026-05-15

CVSS v3.1

4.3

Medium

VectorAV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Name of the Vulnerable Software and Affected Versions Notify Odoo versions prior to 1.0.2
Description The Notify Odoo plugin for WordPress contains a Cross-Site Request Forgery (CSRF) flaw. This occurs because the updateSettings() function lacks proper nonce validation. A nonce (number used once) is a unique token used to verify that a request was intentionally sent by the user. Consequently, unauthenticated attackers can trick a site administrator into clicking a link to execute a forged request. This allows the attacker to change the Notify Odoo URL to one they control and modify settings related to notifications, tracking images, and allowed IP addresses.
Recommendations Update the plugin to a version later than 1.0.1. As a temporary workaround, restrict access to the updateSettings() function to minimize the risk of exploitation.

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-8425

Affected Products

Notify Odoo