WP-Safety
CVE-2026-39533

AWP Classifieds <= 4.4.4 - Missing Authorization

highMissing Authorization
7.5
CVSS Score
7.5
CVSS Score
high
Severity
4.4.5
Patched in
8d
Time to patch

Description

The AWP Classifieds plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.4.4. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
High
Integrity
None
Availability

Technical Details

Affected versions<=4.4.4
PublishedApril 8, 2026
Last updatedApril 15, 2026
Affected pluginanother-wordpress-classifieds-plugin

What Changed in the Fix

Changes introduced in v4.4.5

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v4.4.4
Browse source Download .zip
Patched v4.4.5
Browse source Download .zip
Research Plan
Unverified

Vulnerability Research Plan: CVE-2026-39533 - AWP Classifieds Missing Authorization ### 1. Vulnerability Summary The AWP Classifieds plugin for WordPress (versions <= 4.4.4) contains a missing authorization vulnerability in its AJAX and/or Admin Router handlers. The core issue resides in functions …

Show full research plan

Vulnerability Research Plan: CVE-2026-39533 - AWP Classifieds Missing Authorization

1. Vulnerability Summary

The AWP Classifieds plugin for WordPress (versions <= 4.4.4) contains a missing authorization vulnerability in its AJAX and/or Admin Router handlers. The core issue resides in functions like awpcp_check_admin_ajax() or the AWPCP_AdminUsers::ajax() method which perform nonce verification but fail to check for user capabilities (e.g., current_user_can('manage_options')). Because the plugin exposes these nonces on various pages and may register certain actions via the wp_ajax_nopriv_ hook or process them during admin_init, unauthenticated attackers can perform administrative actions such as modifying user credit balances or manipulating categories.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php (or potentially /wp-admin/admin-post.php via the Router).
  • Action: awpcp-users-credit or awpcp-users-debit.
  • Authentication: None (Unauthenticated). The CVSS vector PR:N confirms unauthenticated access is possible.
  • Preconditions: The attacker must obtain a valid nonce (e.g., awpcp_ajax).

3. Code Flow

  1. The attacker sends a POST request to admin-ajax.php with `
Research Findings
Static analysis — not yet PoC-verified

Summary

The AWP Classifieds plugin for WordPress is vulnerable to unauthorized access to administrative functionality in versions up to 4.4.4. Specifically, the AJAX handler for user credit management fails to perform a capability check, allowing attackers with a valid nonce to add or remove credits from any user account.

Vulnerable Code

// admin/admin-panel-users.php (lines 24-25)
add_action('wp_ajax_awpcp-users-credit', array($this, 'ajax'));
add_action('wp_ajax_awpcp-users-debit', array($this, 'ajax'));

---

// admin/admin-panel-users.php (lines 108-124)
    public function ajax() {
        awpcp_check_admin_ajax();

        $user_id = awpcp_get_var( array( 'param' => 'user', 'default' => 0 ), 'post' );
        $action  = awpcp_get_var( array( 'param' => 'action' ), 'post' );
        $action  = str_replace( 'awpcp-users-', '', $action );

        switch ($action) {
            case 'debit':
            case 'credit':
                $response = $this->ajax_edit_balance($user_id, $action);
                break;
            default:
                $response = array();
                break;
        }

        header('Content-Type: application/json');
        echo wp_json_encode( $response );
        exit();
    }

Security Fix

--- /admin/admin-panel-users.php
+++ /admin/admin-panel-users.php
@@ -109,6 +109,10 @@
     public function ajax() {
         awpcp_check_admin_ajax();
 
+        if ( ! awpcp_current_user_is_admin() ) {
+            die();
+        }
+
         $user_id = awpcp_get_var( array( 'param' => 'user', 'default' => 0 ), 'post' );
         $action  = awpcp_get_var( array( 'param' => 'action' ), 'post' );

Exploit Outline

The exploit targets the AJAX interface of the AWP Classifieds plugin to modify user credit balances without authorization. 1. **Obtain Nonce:** The attacker must first obtain a valid `awpcp_ajax` nonce. This nonce is localized into the `awpcp-admin-users` script and may be visible to logged-in users on various admin pages or leaked through other plugin interactions. 2. **Identify Target:** Identify the `user_id` of the account to be modified. 3. **Craft AJAX Request:** Send a POST request to `/wp-admin/admin-ajax.php` with the following payload: - `action`: `awpcp-users-credit` (to add) or `awpcp-users-debit` (to remove) - `user`: [target user ID] - `amount`: [integer credit amount] - `save`: 1 (to trigger the persistence logic in `ajax_edit_balance`) - `_wpnonce`: [valid awpcp_ajax nonce] 4. **Execution:** Since the `ajax()` method only calls `awpcp_check_admin_ajax()` (which verifies the nonce) but lacks a `current_user_can()` check, the credits will be added/removed from the target user account despite the attacker lacking administrative permissions.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/4d19c023-4aa1-40ec-a87b-dcde945e7a2c?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database