Skip to main content

AWP Classifieds CVE-2026-39533

| EUVDEUVD-2026-36962 HIGH
Missing Authorization (CWE-862)
2026-06-15 Patchstack GHSA-g9hw-vmcm-m59v
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Unauthenticated remote endpoint with missing authorization check (PR:N/UI:N/AV:N/AC:L); description and CWE indicate destructive action only, so C:N/I:N/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:18 vuln.today

DescriptionCVE.org

Unauthenticated Broken Access Control in AWP Classifieds <= 4.4.4 versions.

AnalysisAI

Availability-impacting broken access control in the AWP Classifieds (Another WordPress Classifieds Plugin) WordPress plugin through version 4.4.4 allows unauthenticated remote attackers to invoke privileged functionality due to a missing authorization check (CWE-862). The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/C:N/I:N/A:H) indicates the flaw exposes a sensitive action - most plausibly a destructive or resource-consuming operation - over the network with no credentials or user interaction. No public exploit identified at time of analysis.

Technical ContextAI

AWP Classifieds (also known as Another WordPress Classifieds Plugin, vendor CPE 'wptasty:awp_classifieds') is a WordPress plugin used to publish classified-ad listings on WordPress sites. The root cause is CWE-862 Missing Authorization: a server-side endpoint (typically an admin-post.php, admin-ajax.php, or REST route registered by the plugin) executes a privileged action without verifying the caller's capability via WordPress's current_user_can()/nonce checks. Because the CVSS impact is A:H only (no C/I), the unprotected handler likely performs a state-changing or destructive action - for example bulk deletion or reset of listings, categories, or plugin settings - rather than disclosing or arbitrarily modifying data.

RemediationAI

Upgrade the AWP Classifieds plugin to a version newer than 4.4.4 via the WordPress plugin updater as soon as the vendor publishes a fixed release; the input data does not identify an exact patched version, so consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/another-wordpress-classifieds-plugin/vulnerability/wordpress-awp-classifieds-plugin-4-4-4-broken-access-control-vulnerability) and the plugin's WordPress.org changelog to confirm the patched release before deployment. If no fix is yet available, deactivate the plugin entirely (eliminates the classifieds feature) or place the WordPress site behind a WAF rule that blocks unauthenticated POST/GET requests to AWP Classifieds AJAX and admin-post.php actions (action= parameter values registered by the plugin) and to its custom REST routes - accepting that legitimate front-end ad submission or moderation workflows that rely on those endpoints may break. Take a verified backup of the WordPress database before exposure remains, given the availability-only impact suggests destructive operations are reachable.

Share

CVE-2026-39533 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy