WP-Safety

Push Notification for Post and BuddyPress Security & Risk Analysis

wordpress.org/plugins/push-notification-for-post-and-buddypress

Send free push notifications for post/custom post, BuddyPress from WordPress sites or using mobile app webview and to generate PWA.

200 active installs v3.13 PHP 8.1+ WP 6.2+ Updated Dec 14, 2025
buddypressfirebasemobile-appprogressive-web-apppush-notification
95
A · Safe
CVEs total4
Unpatched0
Last CVEJan 16, 2025
Plugin page Download
Safety Verdict

Is Push Notification for Post and BuddyPress Safe to Use in 2026?

Generally Safe

Score 95/100

Push Notification for Post and BuddyPress has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Jan 16, 2025Updated 3mo ago
Risk Assessment

The plugin "push-notification-for-post-and-buddypress" version 3.13 exhibits a mixed security posture. On the positive side, the plugin demonstrates strong adherence to secure coding practices by utilizing prepared statements for nearly all SQL queries and properly escaping the vast majority of its output. The presence of nonce checks and capability checks, while limited, is also a good sign. However, significant concerns arise from the large attack surface, with 8 out of 10 identified entry points lacking proper authorization checks. This includes all AJAX handlers and REST API routes, which are particularly vulnerable to unauthorized access and manipulation.

The taint analysis further amplifies these concerns, revealing 3 critical severity flows with unsanitized paths. This indicates a direct pathway for attackers to exploit potentially malicious input, leading to severe security breaches such as arbitrary code execution or sensitive data compromise. While there are no currently unpatched CVEs, the historical vulnerability data shows a pattern of critical and medium severity issues, including Cross-site Scripting, SQL Injection, and Missing Authorization. This suggests a recurring struggle with implementing robust security controls, especially regarding input validation and authorization.

In conclusion, while the plugin utilizes some secure coding practices like prepared statements and output escaping, the substantial number of unprotected entry points and critical taint flows present a significant risk. The historical vulnerability data reinforces these concerns. Immediate attention should be paid to securing all AJAX handlers and REST API routes, and further investigation into the identified taint flows is crucial to mitigate the risk of exploitation.

Key Concerns

  • Unprotected AJAX handlers
  • Unprotected REST API routes
  • Critical severity taint flows
  • Historical critical CVEs
  • Historical medium CVEs
  • Bundled Guzzle library
Vulnerabilities
4

Push Notification for Post and BuddyPress Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
1 CVE in 2024
2024
2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Critical
1
Medium
3

4 total CVEs

CVE-2025-23771medium · 5.3Missing Authorization

Push Notification for Post and BuddyPress <= 2.11 - Missing Authorization to Unauthenticated Settings Update

Jan 16, 2025 Patched in 2.12 (40d)
CVE-2024-12407medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Push Notification for Post and BuddyPress <= 2.07 - Reflected Cross-Site Scripting

Jan 10, 2025 Patched in 2.08 (20d)
CVE-2024-6159critical · 10Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Push Notification for Post and BuddyPress <= 1.93 - Unauthenticated SQL Injection

May 27, 2024 Patched in 1.94 (73d)
WF-228a3c72-fbb0-48bc-8066-6ca954a14421-push-notification-for-post-and-buddypressmedium · 5.3Missing Authorization

Push Notification for Post and BuddyPress <= 1.63 - Missing Authorization to Unauthenticated Admin Notice Dismissal

Aug 22, 2023 Patched in 1.64 (154d)
Code Analysis
Analyzed Mar 16, 2026

Push Notification for Post and BuddyPress Code Analysis

Dangerous Functions
0
Raw SQL Queries
8
419 prepared
Unescaped Output
57
4449 escaped
Nonce Checks
20
Capability Checks
2
File Operations
0
External Requests
19
Bundled Libraries
1

Bundled Libraries

Guzzle

SQL Query Safety

98% prepared427 total queries

Output Escaping

99% escaped4506 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

10 flows3 with unsanitized paths
<pnfpb_admin_notice_ajax> (admin\ajax_routines\pnfpb_admin_notice_ajax.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
8 unprotected

Push Notification for Post and BuddyPress Attack Surface

Entry Points10
Unprotected8

AJAX Handlers 6

authwp_ajax_icpushcallbackpnfpb_push_notification.php:522
noprivwp_ajax_icpushcallbackpnfpb_push_notification.php:526
authwp_ajax_icpushadmincallbackpnfpb_push_notification.php:531
noprivwp_ajax_icpushadmincallbackpnfpb_push_notification.php:535
authwp_ajax_unsubscribepushpnfpb_push_notification.php:540
noprivwp_ajax_unsubscribepushpnfpb_push_notification.php:544

REST API Routes 2

POST/wp-json/PNFPBpush/v1/subscriptiontokenpnfpb_push_notification.php:7952
POST/wp-json/PNFPBpush/v2/notification-delivery-countspnfpb_push_notification.php:7959

Shortcodes 2

[subscribe_PNFPB_push_notification] pnfpb_push_notification.php:981
[PNFPB_PWA_PROMPT] pnfpb_push_notification.php:987
WordPress Hooks 81
filterset_url_schemeadmin\pnfpb_delivery_notifications_browser_list_class.php:317
filterset_url_schemeadmin\pnfpb_delivery_notifications_list_class.php:317
filterset_url_schemeadmin\pnfpb_icfcm_device_tokens_list.php:292
filterset_url_schemeadmin\pnfpb_icfcm_onetime_push_notifications_list_class.php:856
filterset-screen-optionpnfpb_push_notification.php:372
actionwpmu_new_blogpnfpb_push_notification.php:386
filterwpmu_drop_tablespnfpb_push_notification.php:391
actioninitpnfpb_push_notification.php:402
actionadmin_initpnfpb_push_notification.php:404
actionplugins_loadedpnfpb_push_notification.php:409
filterplugin_action_linkspnfpb_push_notification.php:416
filternetwork_admin_plugin_action_linkspnfpb_push_notification.php:423
filteraction_scheduler_pastdue_actions_check_prepnfpb_push_notification.php:430
actionPNFPB_ondemand_schedule_push_notification_hookpnfpb_push_notification.php:436
actionPNFPB_httpv1_schedule_push_notification_hookpnfpb_push_notification.php:448
actionPNFPB_webpush_schedule_push_notification_hookpnfpb_push_notification.php:459
actionPNFPB_onesignal_schedule_push_notification_hookpnfpb_push_notification.php:470
actionPNFPB_progressier_schedule_push_notification_hookpnfpb_push_notification.php:478
actionPNFPB_webtoapp_schedule_push_notification_hookpnfpb_push_notification.php:490
actionlogin_enqueue_scriptspnfpb_push_notification.php:501
actionwp_enqueue_scriptspnfpb_push_notification.php:506
actionwp_enqueue_scriptspnfpb_push_notification.php:511
actionadmin_enqueue_scriptspnfpb_push_notification.php:516
actionadmin_menupnfpb_push_notification.php:550
actionadmin_initpnfpb_push_notification.php:555
actionadmin_initpnfpb_push_notification.php:556
actionadmin_initpnfpb_push_notification.php:561
actioninitpnfpb_push_notification.php:567
actionwp_headpnfpb_push_notification.php:573
actionlogin_headpnfpb_push_notification.php:578
actionwp_footerpnfpb_push_notification.php:585
actionlogin_footerpnfpb_push_notification.php:590
actiontransition_post_statuspnfpb_push_notification.php:608
actionPNFPB_create_index_for_deviceid_actionpnfpb_push_notification.php:621
actioncomment_postpnfpb_push_notification.php:628
actionPNFPB_post_comments_notification_cron_hookpnfpb_push_notification.php:645
actionrest_api_initpnfpb_push_notification.php:651
actionPNFPB_trigger_post_notification_actionpnfpb_push_notification.php:656
actionbp_activity_posted_updatepnfpb_push_notification.php:671
actionPNFPB_trigger_activity_push_notification_actionpnfpb_push_notification.php:678
actionbp_groups_posted_updatepnfpb_push_notification.php:691
actionPNFPB_group_activity_notification_cron_hookpnfpb_push_notification.php:702
actionmessages_message_sentpnfpb_push_notification.php:719
actionbetter_messages_message_sentpnfpb_push_notification.php:731
actionPNFPB_private_message_notification_cron_hookpnfpb_push_notification.php:742
actionbp_core_activated_userpnfpb_push_notification.php:749
actionPNFPB_new_member_notification_cron_hookpnfpb_push_notification.php:760
actionbp_activity_add_user_favoritepnfpb_push_notification.php:767
actionPNFPB_mark_as_favourite_notification_cron_hookpnfpb_push_notification.php:778
actionbp_follow_after_savepnfpb_push_notification.php:784
actionPNFPB_bp_follower_notification_cron_hookpnfpb_push_notification.php:795
actionfriends_friendship_requestedpnfpb_push_notification.php:803
actionPNFPB_friendship_request_notification_cron_hookpnfpb_push_notification.php:814
actionfriends_friendship_acceptedpnfpb_push_notification.php:821
actionPNFPB_friendship_accept_notification_cron_hookpnfpb_push_notification.php:832
actionbp_members_avatar_uploadedpnfpb_push_notification.php:839
actionxprofile_avatar_uploadedpnfpb_push_notification.php:851
actionPNFPB_avatar_change_notification_cron_hookpnfpb_push_notification.php:863
actionmembers_cover_image_uploadedpnfpb_push_notification.php:870
actionxprofile_cover_image_uploadedpnfpb_push_notification.php:881
actionPNFPB_cover_image_change_notification_cron_hookpnfpb_push_notification.php:893
actionbp_activity_comment_postedpnfpb_push_notification.php:900
actionPNFPB_activities_comments_notification_cron_hookpnfpb_push_notification.php:911
filterbp_get_group_join_buttonpnfpb_push_notification.php:926
actionbp_group_header_actionspnfpb_push_notification.php:933
actionbp_directory_groups_actionspnfpb_push_notification.php:938
actionbp_setup_navpnfpb_push_notification.php:945
actiongroups_send_invitespnfpb_push_notification.php:951
actionPNFPB_group_invite_notification_cron_hookpnfpb_push_notification.php:961
actiongroups_group_details_editedpnfpb_push_notification.php:967
actionPNFPB_group_details_update_notification_cron_hookpnfpb_push_notification.php:973
actionadmin_bar_menupnfpb_push_notification.php:994
actionuser_registerpnfpb_push_notification.php:1001
actionPNFPB_new_user_registration_notification_cron_hookpnfpb_push_notification.php:1003
actionwpcf7_before_send_mailpnfpb_push_notification.php:1010
actionPNFPB_contact_form_notification_cron_hookpnfpb_push_notification.php:1017
actionadmin_enqueue_scriptspnfpb_push_notification.php:6627
actionbp_template_titlepnfpb_push_notification.php:7513
actionbp_template_contentpnfpb_push_notification.php:7517
actioninitpublic\service_worker\pnfpb_create_sw_file.php:16
actionparse_requestpublic\service_worker\pnfpb_create_sw_file.php:18

Scheduled Events 8

PNFPB_cron_generate_Firebase_oauth_token_hook
PNFPB_cron_update_buddypress_subscription_count_hook
PNFPB_cron_update_post_subscription_count_hook
PNFPB_cron_post_hook
PNFPB_cron_buddypressactivities_hook
PNFPB_cron_buddypressgroupactivities_hook
PNFPB_cron_buddypresscomments_hook
PNFPB_cron_comments_post_hook
Maintenance & Trust

Push Notification for Post and BuddyPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 14, 2025
PHP min version8.1
Downloads31K

Community Trust

Rating94/100
Number of ratings24
Active installs200
Alternatives

Push Notification for Post and BuddyPress Alternatives

Progressify – All-in-One Progressive Web App (PWA) on Autopilot

Progressify – All-in-One Progressive Web App (PWA) on Autopilot

progressify

A
100

Turn your site into an app-like PWA with install prompts, offline use, push notifications, and more to boost engagement, repeat visits, and sales.

100 No CVEs
Push notification for Mobile and Web app

Push notification for Mobile and Web app

push-notification-mobile-and-web-app

A
99

Push notification for Android, iOS and the Web

500 1 CVE
WP-AppKit – Mobile apps and PWA for WordPress

WP-AppKit – Mobile apps and PWA for WordPress

wp-appkit

A
85

Important ✋: beginning with version 1.5.3, we don't support anymore native iOS app. This is a tough choice we explain here.

200 No CVEs
Ultimate Push Notifications

Ultimate Push Notifications

ultimate-push-notifications

D
45

Receive push notification on Mobile / Desktop from WooCommerce / Multi-vendor (Dokan, WCFM), BuddyPress, WordPress events and more.

60 3 unpatched
BeyondCart Connector

BeyondCart Connector

beyondcart

A
95

Transform your eCommerce to a mobile app instantly and build customers for life! Analyze their behavior and drive repeat sales with targeted push noti &hellip;

20 1 CVE
Developer Profile

Push Notification for Post and BuddyPress Developer Profile

Murali

2 plugins · 900 total installs

87
trust score
Avg Security Score
98/100
Avg Patch Time
72 days
View full developer profile
Detection Fingerprints

How We Detect Push Notification for Post and BuddyPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/push-notification-for-post-and-buddypress/assets/css/style.css/wp-content/plugins/push-notification-for-post-and-buddypress/assets/js/icfcm_sw.js/wp-content/plugins/push-notification-for-post-and-buddypress/assets/js/icfcm_pn_app.js/wp-content/plugins/push-notification-for-post-and-buddypress/assets/js/icfcm_firebase_messaging.js/wp-content/plugins/push-notification-for-post-and-buddypress/assets/js/icfcm_firebase_app.js/wp-content/plugins/push-notification-for-post-and-buddypress/assets/js/icfcm_pn_registration.js/wp-content/plugins/push-notification-for-post-and-buddypress/assets/js/icfcm_pn_settings.js/wp-content/plugins/push-notification-for-post-and-buddypress/assets/js/icfcm_pn_push.js+2 more
Script Paths
assets/js/icfcm_sw.jsassets/js/icfcm_pn_app.jsassets/js/icfcm_firebase_messaging.jsassets/js/icfcm_firebase_app.jsassets/js/icfcm_pn_registration.jsassets/js/icfcm_pn_settings.js+3 more
Version Parameters
push-notification-for-post-and-buddypress/assets/css/style.css?ver=push-notification-for-post-and-buddypress/assets/js/icfcm_sw.js?ver=push-notification-for-post-and-buddypress/assets/js/icfcm_pn_app.js?ver=push-notification-for-post-and-buddypress/assets/js/icfcm_firebase_messaging.js?ver=push-notification-for-post-and-buddypress/assets/js/icfcm_firebase_app.js?ver=push-notification-for-post-and-buddypress/assets/js/icfcm_pn_registration.js?ver=push-notification-for-post-and-buddypress/assets/js/icfcm_pn_settings.js?ver=push-notification-for-post-and-buddypress/assets/js/icfcm_pn_push.js?ver=push-notification-for-post-and-buddypress/assets/js/icfcm_pn_device.js?ver=push-notification-for-post-and-buddypress/assets/js/icfcm_pn_shortcode.js?ver=

HTML / DOM Fingerprints

CSS Classes
pnfpb-notification-wrapperpnfpb-settings-sectionpnfpb-field-grouppnfpb-input-fieldpnfpb-textarea-fieldpnfpb-checkbox-fieldpnfpb-radio-fieldpnfpb-select-field+7 more
HTML Comments
<!-- PNFPB Settings Page Start --><!-- PNFPB On Demand Push Notification Form --><!-- PNFPB Device Tokens List --><!-- PNFPB PWA Settings -->+4 more
Data Attributes
data-pnfpb-settingdata-pnfpb-fielddata-pnfpb-actiondata-pnfpb-token-iddata-pnfpb-pwa-urldata-pnfpb-nginx-option
JS Globals
pnfpb_ajax_objectPNFPB_SW_URLPNFPB_FIREBASE_CONFIG
REST Endpoints
/wp-json/pnfpb/v1/settings/wp-json/pnfpb/v1/tokens/wp-json/pnfpb/v1/push/wp-json/pnfpb/v1/pwa/wp-json/pnfpb/v1/nginx
Shortcode Output
[pnfpb_subscribe_button][pnfpb_push_notification_form][pnfpb_pwa_manifest][pnfpb_service_worker]
FAQ

Frequently Asked Questions about Push Notification for Post and BuddyPress