Wpadverts
Monthly
Reflected/unauthenticated Cross-Site Scripting in the WPAdverts WordPress classifieds plugin (versions 2.3.1 and earlier) lets a remote, unauthenticated attacker inject arbitrary JavaScript that executes in a victim's browser when they open a crafted link or view attacker-controlled input. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C) reflects a low-complexity network attack needing only user interaction, with a scope change into the browser security context. No public exploit was identified at time of analysis and the flaw is not listed in CISA KEV; EPSS data was not provided.
Broken access control in WPAdverts WordPress plugin versions up to and including 2.3.0 permits unauthenticated remote attackers to bypass authorization gates and perform restricted plugin actions, resulting in limited integrity and availability impact. The flaw is rooted in CWE-862 (Missing Authorization), a well-understood WordPress plugin vulnerability class where endpoints lack capability or permission checks before executing privileged operations. No active exploitation has been confirmed in CISA KEV, and no public exploit code has been identified at time of analysis; however, the fully unauthenticated, low-complexity network attack vector meaningfully lowers the exploitation barrier for any internet-exposed WordPress site running the affected plugin.
Reflected/unauthenticated Cross-Site Scripting in the WPAdverts WordPress classifieds plugin (versions 2.3.1 and earlier) lets a remote, unauthenticated attacker inject arbitrary JavaScript that executes in a victim's browser when they open a crafted link or view attacker-controlled input. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C) reflects a low-complexity network attack needing only user interaction, with a scope change into the browser security context. No public exploit was identified at time of analysis and the flaw is not listed in CISA KEV; EPSS data was not provided.
Broken access control in WPAdverts WordPress plugin versions up to and including 2.3.0 permits unauthenticated remote attackers to bypass authorization gates and perform restricted plugin actions, resulting in limited integrity and availability impact. The flaw is rooted in CWE-862 (Missing Authorization), a well-understood WordPress plugin vulnerability class where endpoints lack capability or permission checks before executing privileged operations. No active exploitation has been confirmed in CISA KEV, and no public exploit code has been identified at time of analysis; however, the fully unauthenticated, low-complexity network attack vector meaningfully lowers the exploitation barrier for any internet-exposed WordPress site running the affected plugin.