Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Network-accessible WordPress endpoint, no authentication required per description and PR:N tag; integrity and availability both limited with no confidentiality exposure confirmed.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Broken Access Control in WPAdverts <= 2.3.0 versions.
AnalysisAI
Broken access control in WPAdverts WordPress plugin versions up to and including 2.3.0 permits unauthenticated remote attackers to bypass authorization gates and perform restricted plugin actions, resulting in limited integrity and availability impact. The flaw is rooted in CWE-862 (Missing Authorization), a well-understood WordPress plugin vulnerability class where endpoints lack capability or permission checks before executing privileged operations. No active exploitation has been confirmed in CISA KEV, and no public exploit code has been identified at time of analysis; however, the fully unauthenticated, low-complexity network attack vector meaningfully lowers the exploitation barrier for any internet-exposed WordPress site running the affected plugin.
Technical ContextAI
WPAdverts is a WordPress classified advertisements plugin developed by Greg Winiarski (CPE: cpe:2.3:a:greg_winiarski:wpadverts:*:*:*:*:*:*:*:*). The root cause is CWE-862 (Missing Authorization), which in the WordPress ecosystem typically manifests when a plugin registers AJAX handlers (via wp_ajax_nopriv_ hooks), REST API routes, or front-end form processors without validating caller permissions using WordPress capability checks such as current_user_can() or without enforcing nonce-to-user binding. Because wp-admin/admin-ajax.php and the REST API are network-accessible without authentication by default, any unprotected endpoint registered by the plugin becomes an unauthenticated attack surface. The CVSS vector AV:N/AC:L/PR:N/UI:N confirms the endpoint is reachable over the network without credentials or prerequisites.
RemediationAI
Site administrators should update WPAdverts beyond version 2.3.0 immediately; the specific patched release version was not independently confirmed in the available intelligence data and must be verified via the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wpadverts/vulnerability/wordpress-wpadverts-plugin-2-3-0-broken-access-control-vulnerability or the official WordPress plugin repository changelog. If an immediate update is not feasible, compensating controls include temporarily deactivating the WPAdverts plugin (which will interrupt classified ads functionality), deploying a web application firewall rule to block unauthenticated requests to the plugin's registered AJAX or REST API endpoints, or restricting WordPress front-end access to authenticated users only at the web server or application layer. Note that WAF-based mitigations require knowledge of the specific unprotected endpoint(s) to be effective and may not provide complete coverage without vendor guidance on the exact vulnerable action.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36988
GHSA-mgw9-rhc9-427f