[Bug]: OneSignal intercepts POST requests from other plugins causing 403 error

[cortesfrau]

What happened?

Bug: OneSignal intercepts POST requests from other plugins causing 403 error

Problem

OneSignal incorrectly intercepts POST requests from other plugins when they try to save options, causing the error "The link you followed has expired".

Location

File: v3/onesignal-admin/onesignal-admin.php (lines 30-54)
Function: onesignal_handle_settings_save()

Root Cause

The function is hooked to admin_init and executes for all POST requests. It only checks:

1. That it's a POST request
2. That the submit button text is "Save Settings"

It does NOT verify if the request comes from OneSignal's settings page, so it intercepts forms from other plugins that have the same button name.

Steps to Reproduce

1. Activate OneSignal plugin
2. Activate any other plugin with a "Save Settings" button
3. Try to save options from the other plugin
4. Error: "The link you followed has expired"

Expected Behavior

OneSignal should only process POST requests from its own settings page, not intercept requests from other plugins.

Solution

Add page verification before processing:

function onesignal_handle_settings_save() {
  if (!isset($_SERVER['REQUEST_METHOD']) || $_SERVER['REQUEST_METHOD'] !== 'POST') {
    return;
  }

  // MISSING CHECK: Verify we're on OneSignal's settings page
  if (!isset($_GET['page']) || $_GET['page'] !== 'onesignal-admin-page.php') {
    return;
  }

  if (!isset($_POST["submit"]) || $_POST["submit"] !== "Save Settings") {
    return;
  }

  check_admin_referer('onesignal_v3_save_settings', 'onesignal_v3_settings_nonce');
  // ... rest of code
}

Alternative: Check for OneSignal-specific fields before processing:

if (!isset($_POST['onesignal_app_id']) && !isset($_POST['onesignal_rest_api_key'])) {
  return;
}

Impact

• Severity: High - Prevents other plugins from saving their options
• Affected Version: v3 (v2 doesn't have this issue)
• Frequency: 100% reproducible when another plugin has a "Save Settings" button

Wordpress version

6.0.2

OneSignal Plugin version

6.0.2

Steps to reproduce?

1. Activate OneSignal plugin
2. Activate any other plugin with a "Save Settings" button
3. Try to save options from the other plugin
4. **Error:** "The link you followed has expired"

What did you expect to happen?

OneSignal should only process POST requests from its own settings page, not intercept requests from other plugins.

Relevant log output

Code of Conduct

• I agree to follow this project's Code of Conduct

[sherwinski]

Thanks for reporting this @cortesfrau. I'll look into this and have a fix out shortly.
Also, can you please confirm the OneSignal plugin version? Your report says 6.0.2 but the latest version is 3.6.2

[cortesfrau]

Thanks for reporting this @cortesfrau. I'll look into this and have a fix out shortly. Also, can you please confirm the OneSignal plugin version? Your report says 6.0.2 but the latest version is 3.6.2

Sorry my bad, the plugin version is indeed the last one: 3.6.2

Thank you.

[sherwinski]

@cortesfrau do you have a conflicting plugin that I can test against? The ones I've tried with a "Save Settings" button all seem to work without issue.

[cortesfrau]

@cortesfrau do you have a conflicting plugin that I can test against? The ones I've tried with a "Save Settings" button all seem to work without issue.

Any plugin that includes a submit_button('Save Settings'); call should be enough to reproduce the issue.

For example, this minimal plugin triggers it:

https://github.com/cortesfrau/Simple-Settings-Example.git

[sherwinski]

Thanks for including that @cortesfrau, I've opened #393 to address the issue.

[sherwinski]

@cortesfrau The fix for this is now published in v3.6.3. Please give it a try and let me know if it fixes the issue.