Does WPAdverts – Classifieds Plugin have any unpatched vulnerabilities?

Yes — WPAdverts – Classifieds Plugin currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is WPAdverts – Classifieds Plugin compatible with WordPress 6.9.4?

According to WordPress.org data, WPAdverts – Classifieds Plugin 2.3.0 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is WPAdverts – Classifieds Plugin compatible with PHP 5.6+?

WPAdverts – Classifieds Plugin requires PHP 5.6 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is WPAdverts – Classifieds Plugin updated?

WPAdverts – Classifieds Plugin was last updated on Mar 2, 2026. Frequent updates are generally a positive security signal.

What is WPAdverts – Classifieds Plugin's security score?

WPAdverts – Classifieds Plugin has a WP-Safety security score of 62/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WPAdverts – Classifieds Plugin Security & Risk Analysis

wordpress.org/plugins/wpadverts

Build classifieds section in seconds. Allow your visitors to browse and post (paid or free) classified ads on your site.

5K active installs v2.3.0 PHP 5.6+ WP 5.7+ Updated Mar 2, 2026

classifiedclassified-adsclassifiedsclassifieds-pluginclassifieds-script

C · Use Caution

CVEs total9

Unpatched1

Last CVEJan 7, 2026

Plugin page Download

Safety Verdict

Is WPAdverts – Classifieds Plugin Safe to Use in 2026?

Use With Caution

Score 62/100

WPAdverts – Classifieds Plugin has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

9 known CVEs 1 unpatched Last CVE: Jan 7, 2026Updated 1mo ago

Risk Assessment

The WPAdverts plugin v2.3.0 exhibits a mixed security posture. While it demonstrates good practices in certain areas, such as using prepared statements for most SQL queries and implementing a reasonable number of nonce and capability checks, significant concerns exist regarding its attack surface and historical vulnerability patterns. The substantial number of AJAX handlers, all lacking authentication checks, represents a critical risk, potentially allowing unauthenticated users to trigger arbitrary actions within the plugin. The taint analysis, though limited in scope, identified flows with unsanitized paths, hinting at potential for insecure file operations or path traversal vulnerabilities, even without critical severity. The plugin's history of nine CVEs, with one still unpatched and a prevalence of high and medium severity issues including missing authorization, XSS, and RFI, is a strong indicator of recurring security weaknesses that require serious attention. The presence of an unpatched vulnerability, especially one with high severity, further elevates the risk profile. In conclusion, while the plugin shows some positive security engineering, the large unprotected attack surface and its past vulnerability history necessitate a cautious approach and prompt remediation of outstanding issues.

Key Concerns

Large attack surface without auth checks (AJAX)
Unpatched CVE (1 high severity)
Multiple high/medium severity CVEs in history
Flows with unsanitized paths (taint analysis)
Output escaping not consistently applied (68%)
Missing permission callbacks on REST API

Vulnerabilities

WPAdverts – Classifieds Plugin Security Vulnerabilities

CVEs by Year

3 CVEs in 2024

2024

5 CVEs in 2025

2025

1 CVE in 2026 · unpatched

2026

Patched Has unpatched

Severity Breakdown

High

Medium

9 total CVEs

CVE-2026-27092medium · 4.3Missing Authorization

WPAdverts – Classifieds Plugin <= 2.2.11 - Missing Authorization

Jan 7, 2026Unpatched

CVE-2025-54024medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WPAdverts <= 2.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jul 16, 2025 Patched in 2.2.6 (7d)

CVE-2025-49878medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WPAdverts <= 2.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jun 12, 2025 Patched in 2.2.5 (6d)

CVE-2025-48269medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WPAdverts <= 2.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

May 19, 2025 Patched in 2.2.4 (11d)

CVE-2025-47440high · 8.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

WPAdverts <= 2.2.2 - Authenticated (Contributor+) Local File Inclusion

May 7, 2025 Patched in 2.2.3 (7d)

CVE-2025-39576medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WPAdverts <= 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Apr 16, 2025 Patched in 2.2.2 (7d)

CVE-2024-10890medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WPAdverts – Classifieds Plugin <= 2.1.7 - Reflected Cross-Site Scripting

Nov 20, 2024 Patched in 2.1.8 (1d)

CVE-2024-10108high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WPAdverts – Classifieds Plugin <= 2.1.6 - Unauthenticated Stored Cross-Site Scripting via adverts_add Shortcode

Oct 29, 2024 Patched in 2.1.7 (1d)

CVE-2024-37238medium · 4.3Cross-Site Request Forgery (CSRF)

WPAdverts – Classifieds Plugin <= 2.1.2 - Cross-Site Request Forgery

Jun 21, 2024 Patched in 2.1.3 (6d)

Code Analysis

Analyzed Mar 16, 2026

WPAdverts – Classifieds Plugin Code Analysis

Dangerous Functions

Raw SQL Queries

12 prepared

Unescaped Output

408

879 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

92% prepared13 total queries

Output Escaping

68% escaped1287 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

3 flows2 with unsanitized paths

adverts_save_category (includes\admin-pages.php:477)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

35 unprotected

WPAdverts – Classifieds Plugin Attack Surface

Entry Points43

Unprotected35

AJAX Handlers 35

noprivwp_ajax_wpadverts-contact-form-submitaddons\contact-form\contact-form.php:308

authwp_ajax_adext_payments_renderaddons\payments\includes\ajax.php:6

noprivwp_ajax_adext_payments_renderaddons\payments\includes\ajax.php:7

authwp_ajax_adext_payments_complete_paymentaddons\payments\includes\ajax.php:9

noprivwp_ajax_adext_payments_complete_paymentaddons\payments\includes\ajax.php:10

authwp_ajax_wpadverts-taxonomyincludes\class-field-autocomplete.php:12

noprivwp_ajax_wpadverts-taxonomyincludes\class-field-autocomplete.php:13

authwp_ajax_wpadverts-styling-savewpadverts.php:583

authwp_ajax_wpadverts-styling-resetwpadverts.php:584

authwp_ajax_adverts_author_suggestwpadverts.php:585

authwp_ajax_adverts_gallery_uploadwpadverts.php:586

authwp_ajax_adverts_gallery_updatewpadverts.php:587

authwp_ajax_adverts_gallery_update_orderwpadverts.php:588

authwp_ajax_adverts_gallery_deletewpadverts.php:589

authwp_ajax_adverts_gallery_delete_filewpadverts.php:590

authwp_ajax_adverts_gallery_image_streamwpadverts.php:591

authwp_ajax_adverts_gallery_image_restorewpadverts.php:592

authwp_ajax_adverts_gallery_image_savewpadverts.php:593

authwp_ajax_adverts_gallery_video_coverwpadverts.php:594

authwp_ajax_adverts_show_contactwpadverts.php:595

authwp_ajax_adverts_delete_tmpwpadverts.php:596

authwp_ajax_adverts_delete_tmp_fileswpadverts.php:597

authwp_ajax_adverts_deletewpadverts.php:598

noprivwp_ajax_adverts_gallery_uploadwpadverts.php:600

noprivwp_ajax_adverts_gallery_updatewpadverts.php:601

noprivwp_ajax_adverts_gallery_update_orderwpadverts.php:602

noprivwp_ajax_adverts_gallery_deletewpadverts.php:603

noprivwp_ajax_adverts_gallery_delete_filewpadverts.php:604

noprivwp_ajax_adverts_gallery_image_streamwpadverts.php:605

noprivwp_ajax_adverts_gallery_image_restorewpadverts.php:606

noprivwp_ajax_adverts_gallery_image_savewpadverts.php:607

noprivwp_ajax_adverts_gallery_video_coverwpadverts.php:608

noprivwp_ajax_adverts_show_contactwpadverts.php:610

noprivwp_ajax_adverts_delete_tmpwpadverts.php:611

noprivwp_ajax_adverts_delete_tmp_fileswpadverts.php:612

REST API Routes 1

GET/wp-json/wpadverts/v1/classifieds-typesincludes\class-rest-blocks.php:6

Shortcodes 7

[adverts_payments_checkout] addons\payments\includes\shortcodes.php:15

[adverts_list] includes\shortcodes.php:15

[adverts_add] includes\shortcodes.php:16

[adverts_manage] includes\shortcodes.php:17

[adverts_categories] includes\shortcodes.php:18

[adverts_block] includes\shortcodes.php:19

[advert_single] includes\shortcodes.php:20

WordPress Hooks 190

actionadext_register_payment_gatewayaddons\bank-transfer\bank-transfer.php:27

filteradverts_form_bindaddons\bank-transfer\bank-transfer.php:122

actioninitaddons\contact-form\contact-form.php:26

actioninitaddons\contact-form\contact-form.php:31

actionadverts_tpl_single_bottomaddons\contact-form\contact-form.php:64

actionadext_contact_form_sendaddons\contact-form\contact-form.php:305

actionadverts_tpl_single_bottomaddons\contact-form\contact-form.php:321

filterwpadverts/block/details/contact-optionsaddons\contact-form\contact-form.php:322

filterwp_mail_fromaddons\contact-form\contact-form.php:407

filterwp_mail_from_nameaddons\contact-form\contact-form.php:408

filterwpadverts/block/form/styles/attsaddons\contact-form\includes\class-block-details.php:177

filteradverts_form_loadaddons\contact-form\includes\class-block-details.php:270

filterwpadverts_messages_registeraddons\contact-form\includes\class-emails-integration.php:26

filteradext_emails_list_filter_optionsaddons\contact-form\includes\class-emails-integration.php:27

filteradverts_form_bindaddons\core\includes\admin-pages.php:161

filteradverts_form_bindaddons\core\includes\admin-pages.php:188

actionadmin_initaddons\emails\includes\class-emails.php:65

actioninitaddons\emails\includes\class-emails.php:66

filteradverts_form_loadaddons\emails\includes\class-emails.php:74

filterwpadverts_messageaddons\emails\includes\class-emails.php:75

filterwpadverts_messages_registeraddons\emails\includes\class-emails.php:93

filterwpadverts_messageaddons\emails\includes\class-emails.php:94

filterwpadverts_message_argsaddons\emails\includes\class-emails.php:95

actionpost_submitbox_misc_actionsaddons\featured\featured.php:28

filterwp_insert_post_dataaddons\featured\featured.php:29

filteradverts_form_loadaddons\featured\featured.php:30

filterdisplay_post_statesaddons\featured\featured.php:31

filteradverts_css_classesaddons\featured\featured.php:33

filteradverts_payments_featuresaddons\featured\featured.php:34

actionadverts_sh_manage_list_statusaddons\featured\featured.php:35

filtershortcode_atts_adverts_listaddons\featured\featured.php:36

filteradverts_list_queryaddons\featured\featured.php:37

filteradverts_payments_order_createaddons\featured\featured.php:40

actionadverts_payment_completedaddons\featured\featured.php:41

filteradverts_form_loadaddons\payments\includes\admin-pages.php:29

filterwpadverts_messages_registeraddons\payments\includes\class-emails-integration.php:55

filteradext_emails_list_filter_optionsaddons\payments\includes\class-emails-integration.php:56

actionwpaddons\payments\includes\events.php:17

actionadext_payments_event_gcaddons\payments\includes\events.php:19

actioninitaddons\payments\payments.php:29

actionadverts_core_initiatedaddons\payments\payments.php:30

actioninitaddons\payments\payments.php:33

actioninitaddons\payments\payments.php:35

actionsave_post_adverts-paymentaddons\payments\payments.php:62

actionadverts_install_module_paymentsaddons\payments\payments.php:119

filteradverts_form_loadaddons\payments\payments.php:120

filteradverts_actionaddons\payments\payments.php:177

filteradverts_actionaddons\payments\payments.php:178

filterwpadverts/block/publish/possible-actionsaddons\payments\payments.php:180

filteradverts_action_paymentaddons\payments\payments.php:181

actionadverts_sh_manage_actions_moreaddons\payments\payments.php:183

actionadverts_sh_manage_actions_moreaddons\payments\payments.php:184

filterwpadverts/block/manage/buttons-manageaddons\payments\payments.php:185

filteradverts_manage_actionaddons\payments\payments.php:187

filteradverts_manage_action_renewaddons\payments\payments.php:188

actionadverts_sh_manage_list_statusaddons\payments\payments.php:190

actionwpadverts/block/manage/list/statusaddons\payments\payments.php:191

filteradverts_form_bindaddons\payments\payments.php:365

actionadmin_menuaddons\payments\payments.php:1102

filterdisplay_post_statesaddons\payments\payments.php:1103

actionadmin_headaddons\payments\payments.php:1104

actionadext_payments_details_boxaddons\payments\payments.php:1105

actionadverts_payment_completedaddons\payments\payments.php:1149

actionadverts_payment_completedaddons\payments\payments.php:1150

actionadverts_payment_completedaddons\payments\payments.php:1151

actionadverts_payment_completedaddons\payments\payments.php:1152

actioninitblocks\categories\index.php:8

filterblock_categories_allblocks\class-block-manager.php:30

actioninitblocks\details\index.php:8

actionwpadverts/block/details/tpl/contact-contentblocks\details\index.php:171

actioninitblocks\list\index.php:8

filteradverts_form_loadblocks\list\index.php:251

filteradverts_form_loadblocks\list\index.php:259

filteradverts_form_loadblocks\manage\class-manage-engine.php:221

actionwp_footerblocks\manage\class-manage-engine.php:320

actionwpadverts/tpl/partial/form/before-buttonsblocks\manage\class-manage-engine.php:325

actioninitblocks\manage\index.php:8

actionwpadverts/block/details/contact-optionsblocks\publish\class-publish-engine.php:490

actioninitblocks\publish\index.php:8

actioninitblocks\search\index.php:8

filteradverts_form_loadblocks\search\index.php:213

filteradverts_form_loadblocks\search\index.php:221

actioninitblocks\single-author\index.php:8

actioninitblocks\single-contact\index.php:8

actionwp_footerblocks\single-contact\index.php:136

actionwpadverts/block/details/tpl/contact-contentblocks\single-contact\index.php:268

actioninitblocks\single-data-table\index.php:8

actioninitblocks\single-gallery\index.php:8

actioninitblocks\single-notifications\index.php:8

actioninitblocks\single-value\index.php:8

actionadmin_menuincludes\admin-pages.php:17

filteradverts_form_loadincludes\admin-post-type.php:104

filterredirect_post_locationincludes\admin-post-type.php:179

filterrequestincludes\admin-post-type.php:679

filteradverts_gallery_upload_prefilterincludes\ajax.php:106

filterpost_type_linkincludes\ajax.php:180

actionwp_footerincludes\class-gallery-helper.php:73

actionadverts_form_loadincludes\class-honeypot.php:7

actionwp_headincludes\class-honeypot.php:8

filteradverts_flash_dataincludes\class-honeypot.php:65

filterpost_guidincludes\class-post.php:138

actiontemplate_redirectincludes\class-taxonomies.php:13

actionwpincludes\class-taxonomies.php:14

filtershortcode_atts_adverts_listincludes\class-taxonomies.php:18

filteradverts_list_queryincludes\class-taxonomies.php:19

filteradverts_tax_shortcode_argsincludes\class-taxonomies.php:20

filtertemplate_includeincludes\class-taxonomies.php:164

filtercomments_templateincludes\class-taxonomies.php:167

filtercomments_template_query_argsincludes\class-taxonomies.php:168

actionadverts_form_loadincludes\class-timetrap.php:24

filteradverts_add_form_bindincludes\class-timetrap.php:74

filteradverts_form_bindincludes\class-timetrap.php:77

filteradverts_flash_dataincludes\class-timetrap.php:105

filteradverts_flash_dataincludes\class-timetrap.php:113

filteradverts_post_typeincludes\class-types.php:11

filteradverts_post_typeincludes\class-types.php:12

filteradverts_register_taxonomy_post_typeincludes\class-types.php:14

filteradverts_register_taxonomyincludes\class-types.php:15

filterwpadverts_mal_register_taxonomy_post_typeincludes\class-types.php:18

filterwpadverts_mal_register_taxonomyincludes\class-types.php:19

filterpre_set_site_transient_update_pluginsincludes\class-updates-manager.php:103

filterplugins_apiincludes\class-updates-manager.php:104

filterpre_move_uploaded_fileincludes\class-upload-helper.php:240

actionwpincludes\events.php:17

filtercron_schedulesincludes\events.php:18

actionadverts_event_gcincludes\events.php:20

actionadverts_event_expire_adsincludes\events.php:21

actionadverts_event_delete_tmp_filesincludes\events.php:22

actionadverts_tpl_single_bottomincludes\functions.php:2725

actionadverts_tpl_single_topincludes\functions.php:2994

actionwpadverts/block/single-notificationsincludes\functions.php:2995

filterwp_image_editorsincludes\functions.php:4001

actionwp_footerincludes\gallery.php:133

actionadmin_footerincludes\gallery.php:134

actionwp_footerincludes\gallery.php:253

filteradverts_form_loadincludes\shortcodes.php:184

filteradverts_form_loadincludes\shortcodes.php:192

filteradverts_form_loadincludes\shortcodes.php:393

filteradverts_the_contentwpadverts.php:169

filteradverts_the_contentwpadverts.php:170

filteradverts_the_contentwpadverts.php:171

filteradverts_the_contentwpadverts.php:172

actionsave_post_advertwpadverts.php:174

actiondeleted_postwpadverts.php:175

filteradverts_form_loadwpadverts.php:177

actionwpwpadverts.php:204

actiontemplate_redirectwpadverts.php:211

actionwpwpadverts.php:215

actionajax_query_attachments_argswpadverts.php:219

actioninitwpadverts.php:421

filterthe_contentwpadverts.php:472

filterpost_thumbnail_htmlwpadverts.php:480

actionadverts_new_user_notificationwpadverts.php:481

filterpost_classwpadverts.php:482

actionadverts_tpl_single_topwpadverts.php:484

actionadverts_tpl_single_bottomwpadverts.php:485

filteradverts_create_user_from_post_idwpadverts.php:487

actiontemplate_redirectwpadverts.php:488

actionwp_headwpadverts.php:503

filteradverts_form_loadwpadverts.php:518

filteradverts_form_loadwpadverts.php:519

actionadd_meta_boxeswpadverts.php:539

actionadd_meta_boxeswpadverts.php:540

filterdisplay_post_stateswpadverts.php:557

actionpost_submitbox_misc_actionswpadverts.php:558

actionadmin_print_scripts-post-new.phpwpadverts.php:560

actionadmin_print_scripts-post.phpwpadverts.php:561

actionadmin_print_scripts-edit.phpwpadverts.php:562

actionadmin_headwpadverts.php:564

filterwp_insert_post_datawpadverts.php:565

actionsave_postwpadverts.php:566

actionsave_postwpadverts.php:567

filterpost_updated_messageswpadverts.php:569

filteradd_menu_classeswpadverts.php:571

actionwpadverts_admin_types_after_titlewpadverts.php:572

actionedited_advert_categorywpadverts.php:575

actionadvert_category_edit_form_fieldswpadverts.php:576

filterwp_insert_post_datawpadverts.php:579

actionadmin_footerwpadverts.php:580

filtermanage_edit-advert_columnswpadverts.php:614

actionmanage_advert_posts_custom_columnwpadverts.php:615

filtermanage_edit-advert_sortable_columnswpadverts.php:616

actionload-edit.phpwpadverts.php:619

actionbefore_delete_postwpadverts.php:622

actioninitwpadverts.php:671

actioninitwpadverts.php:785

actionrest_api_initwpadverts.php:786

actionwidgets_initwpadverts.php:787

actioninitwpadverts.php:791

actioninitwpadverts.php:794

Scheduled Events 4

adext_payments_event_gc

adverts_event_gc

adverts_event_expire_ads

adverts_event_delete_tmp_files

Maintenance & Trust

WPAdverts – Classifieds Plugin Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 2, 2026

PHP min version5.6

Downloads488K

Community Trust

Rating96/100

Number of ratings161

Active installs5K

Alternatives

WPAdverts – Classifieds Plugin Alternatives

Motors – Car Dealership & Classified Listings Plugin

motors-car-dealership-classified-listings

Manage classified listings with WordPress, and allow users to post classified listings directly to your website.

10K 17 CVEs

AWP Classifieds

another-wordpress-classifieds-plugin

Create a classified listings directory, from auto listings to yard sales with AWP Classifieds plugin.

3K 10 CVEs

Cleanup – Directory Listing & Classifieds WordPress Plugin

cleanup-light

Manage directory listings from both the front-end and the WordPress admin panel. Fully responsive design with an intuitive AJAX-powered interface.

0 1 CVE

Directorist: AI-Powered Business Directory, Listings & Classified Ads

directorist

Build any type of directory website such as a business directory, job directory, classifieds directory, and more with this WordPress directory plugin.

20K 2 unpatched

Classified Listing – AI-Powered Classified ads & Business Directory Plugin

classified-listing

A Classified ads and Business Directory plugin for WordPress, to create classified listing, real estate directory, local business directory, and more.

10K 15 CVEs

Developer Profile

WPAdverts – Classifieds Plugin Developer Profile

Greg Winiarski

4 plugins · 6K total installs

trust score

Avg Security Score

83/100

Avg Patch Time

6 days

View full developer profile

Detection Fingerprints

How We Detect WPAdverts – Classifieds Plugin

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wpadverts/assets/css/wpadverts-autocomplete.css/wp-content/plugins/wpadverts/assets/css/wpadverts-upload.css/wp-content/plugins/wpadverts/assets/css/wpadverts-glyphs.css/wp-content/plugins/wpadverts/assets/css/animation.css/wp-content/plugins/wpadverts/assets/css/all.min.css/wp-content/plugins/wpadverts/assets/css/blocks.min.css/wp-content/plugins/wpadverts/assets/js/wpadverts-form.js

Script Paths

/wp-content/plugins/wpadverts/assets/js/wpadverts-form.js

Version Parameters

wpadverts-autocompletewpadverts-uploadwpadverts-glyphsanimationall.min.cssblocks.min.csswpadverts-form.js

HTML / DOM Fingerprints

CSS Classes

wpa-solidwpa-shadow-noneatw-font-boldatw-font-normaladverts-upload-thumbnailadverts-listadverts-gallery

Data Attributes

data-adverts-form-id

JS Globals

wpadverts_form_data

FAQ