Skip to main content

WPAdverts CVE-2026-40782

| EUVDEUVD-2026-36988 MEDIUM
Missing Authorization (CWE-862)
2026-06-15 Patchstack GHSA-mgw9-rhc9-427f
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
6.5 MEDIUM

Network-accessible WordPress endpoint, no authentication required per description and PR:N tag; integrity and availability both limited with no confidentiality exposure confirmed.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 23:08 vuln.today

DescriptionCVE.org

Unauthenticated Broken Access Control in WPAdverts <= 2.3.0 versions.

AnalysisAI

Broken access control in WPAdverts WordPress plugin versions up to and including 2.3.0 permits unauthenticated remote attackers to bypass authorization gates and perform restricted plugin actions, resulting in limited integrity and availability impact. The flaw is rooted in CWE-862 (Missing Authorization), a well-understood WordPress plugin vulnerability class where endpoints lack capability or permission checks before executing privileged operations. No active exploitation has been confirmed in CISA KEV, and no public exploit code has been identified at time of analysis; however, the fully unauthenticated, low-complexity network attack vector meaningfully lowers the exploitation barrier for any internet-exposed WordPress site running the affected plugin.

Technical ContextAI

WPAdverts is a WordPress classified advertisements plugin developed by Greg Winiarski (CPE: cpe:2.3:a:greg_winiarski:wpadverts:*:*:*:*:*:*:*:*). The root cause is CWE-862 (Missing Authorization), which in the WordPress ecosystem typically manifests when a plugin registers AJAX handlers (via wp_ajax_nopriv_ hooks), REST API routes, or front-end form processors without validating caller permissions using WordPress capability checks such as current_user_can() or without enforcing nonce-to-user binding. Because wp-admin/admin-ajax.php and the REST API are network-accessible without authentication by default, any unprotected endpoint registered by the plugin becomes an unauthenticated attack surface. The CVSS vector AV:N/AC:L/PR:N/UI:N confirms the endpoint is reachable over the network without credentials or prerequisites.

RemediationAI

Site administrators should update WPAdverts beyond version 2.3.0 immediately; the specific patched release version was not independently confirmed in the available intelligence data and must be verified via the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wpadverts/vulnerability/wordpress-wpadverts-plugin-2-3-0-broken-access-control-vulnerability or the official WordPress plugin repository changelog. If an immediate update is not feasible, compensating controls include temporarily deactivating the WPAdverts plugin (which will interrupt classified ads functionality), deploying a web application firewall rule to block unauthenticated requests to the plugin's registered AJAX or REST API endpoints, or restricting WordPress front-end access to authenticated users only at the web server or application layer. Note that WAF-based mitigations require knowledge of the specific unprotected endpoint(s) to be effective and may not provide complete coverage without vendor guidance on the exact vulnerable action.

Share

CVE-2026-40782 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy