Skip to main content

Wpadverts

2 CVEs product

Monthly

CVE-2026-57366 HIGH This Week

Reflected/unauthenticated Cross-Site Scripting in the WPAdverts WordPress classifieds plugin (versions 2.3.1 and earlier) lets a remote, unauthenticated attacker inject arbitrary JavaScript that executes in a victim's browser when they open a crafted link or view attacker-controlled input. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C) reflects a low-complexity network attack needing only user interaction, with a scope change into the browser security context. No public exploit was identified at time of analysis and the flaw is not listed in CISA KEV; EPSS data was not provided.

XSS Wpadverts
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-40782 MEDIUM This Month

Broken access control in WPAdverts WordPress plugin versions up to and including 2.3.0 permits unauthenticated remote attackers to bypass authorization gates and perform restricted plugin actions, resulting in limited integrity and availability impact. The flaw is rooted in CWE-862 (Missing Authorization), a well-understood WordPress plugin vulnerability class where endpoints lack capability or permission checks before executing privileged operations. No active exploitation has been confirmed in CISA KEV, and no public exploit code has been identified at time of analysis; however, the fully unauthenticated, low-complexity network attack vector meaningfully lowers the exploitation barrier for any internet-exposed WordPress site running the affected plugin.

Authentication Bypass Wpadverts
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
EPSS 0% CVSS 7.1
HIGH This Week

Reflected/unauthenticated Cross-Site Scripting in the WPAdverts WordPress classifieds plugin (versions 2.3.1 and earlier) lets a remote, unauthenticated attacker inject arbitrary JavaScript that executes in a victim's browser when they open a crafted link or view attacker-controlled input. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C) reflects a low-complexity network attack needing only user interaction, with a scope change into the browser security context. No public exploit was identified at time of analysis and the flaw is not listed in CISA KEV; EPSS data was not provided.

XSS Wpadverts
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Broken access control in WPAdverts WordPress plugin versions up to and including 2.3.0 permits unauthenticated remote attackers to bypass authorization gates and perform restricted plugin actions, resulting in limited integrity and availability impact. The flaw is rooted in CWE-862 (Missing Authorization), a well-understood WordPress plugin vulnerability class where endpoints lack capability or permission checks before executing privileged operations. No active exploitation has been confirmed in CISA KEV, and no public exploit code has been identified at time of analysis; however, the fully unauthenticated, low-complexity network attack vector meaningfully lowers the exploitation barrier for any internet-exposed WordPress site running the affected plugin.

Authentication Bypass Wpadverts
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy