Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Unauthenticated remote endpoint with missing authorization check (PR:N/UI:N/AV:N/AC:L); description and CWE indicate destructive action only, so C:N/I:N/A:H.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Broken Access Control in AWP Classifieds <= 4.4.4 versions.
AnalysisAI
Availability-impacting broken access control in the AWP Classifieds (Another WordPress Classifieds Plugin) WordPress plugin through version 4.4.4 allows unauthenticated remote attackers to invoke privileged functionality due to a missing authorization check (CWE-862). The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/C:N/I:N/A:H) indicates the flaw exposes a sensitive action - most plausibly a destructive or resource-consuming operation - over the network with no credentials or user interaction. No public exploit identified at time of analysis.
Technical ContextAI
AWP Classifieds (also known as Another WordPress Classifieds Plugin, vendor CPE 'wptasty:awp_classifieds') is a WordPress plugin used to publish classified-ad listings on WordPress sites. The root cause is CWE-862 Missing Authorization: a server-side endpoint (typically an admin-post.php, admin-ajax.php, or REST route registered by the plugin) executes a privileged action without verifying the caller's capability via WordPress's current_user_can()/nonce checks. Because the CVSS impact is A:H only (no C/I), the unprotected handler likely performs a state-changing or destructive action - for example bulk deletion or reset of listings, categories, or plugin settings - rather than disclosing or arbitrarily modifying data.
RemediationAI
Upgrade the AWP Classifieds plugin to a version newer than 4.4.4 via the WordPress plugin updater as soon as the vendor publishes a fixed release; the input data does not identify an exact patched version, so consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/another-wordpress-classifieds-plugin/vulnerability/wordpress-awp-classifieds-plugin-4-4-4-broken-access-control-vulnerability) and the plugin's WordPress.org changelog to confirm the patched release before deployment. If no fix is yet available, deactivate the plugin entirely (eliminates the classifieds feature) or place the WordPress site behind a WAF rule that blocks unauthenticated POST/GET requests to AWP Classifieds AJAX and admin-post.php actions (action= parameter values registered by the plugin) and to its custom REST routes - accepting that legitimate front-end ad submission or moderation workflows that rely on those endpoints may break. Take a verified backup of the WordPress database before exposure remains, given the availability-only impact suggests destructive operations are reachable.
More in Awp Classifieds
View allThe WordPress Classifieds Plugin WordPress plugin before 4.3 does not properly sanitise and escape some parameters befor
SQL injection vulnerability in the Another WordPress Classifieds Plugin plugin for WordPress allows remote attackers to
Missing Authorization vulnerability in AWP Classifieds Team AWP Classifieds.3.1. Rated high severity (CVSS 8.8), this vu
Cross-Site Request Forgery (CSRF) vulnerability in AWP Classifieds Team Ad Directory & Listings by AWP Classifieds plugi
Cross-site scripting (XSS) vulnerability in the Another WordPress Classifieds Plugin plugin for WordPress allows remote
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36962
GHSA-g9hw-vmcm-m59v