[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$feJK83EIbSES7rKSwa-2n8onojsQcBRjsWvhR3gOgKks":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-39533","awp-classifieds-missing-authorization-2","AWP Classifieds \u003C= 4.4.4 - Missing Authorization","The AWP Classifieds plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.4.4. This makes it possible for unauthenticated attackers to perform an unauthorized action.","another-wordpress-classifieds-plugin",null,"\u003C=4.4.4","4.4.5","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:H\u002FA:N","Missing Authorization","2026-04-08 00:00:00","2026-04-15 18:51:30",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F4d19c023-4aa1-40ec-a87b-dcde945e7a2c?source=api-prod",8,[22,23,24,25,26,27,28,29],"README.TXT","admin\u002Fadmin-panel-credit-plans-table.php","admin\u002Fadmin-panel-fees-table.php","admin\u002Fadmin-panel-users.php","admin\u002Fadmin-panel.php","admin\u002Fclass-add-edit-table-entry-rendering-helper.php","admin\u002Fclass-categories-admin-page.php","admin\u002Fclass-export-listings-admin-page.php","researched",false,3,"Vulnerability Research Plan: CVE-2026-39533 - AWP Classifieds Missing Authorization\n\n### 1. Vulnerability Summary\nThe AWP Classifieds plugin for WordPress (versions \u003C= 4.4.4) contains a missing authorization vulnerability in its AJAX and\u002For Admin Router handlers. The core issue resides in functions like `awpcp_check_admin_ajax()` or the `AWPCP_AdminUsers::ajax()` method which perform nonce verification but fail to check for user capabilities (e.g., `current_user_can('manage_options')`). Because the plugin exposes these nonces on various pages and may register certain actions via the `wp_ajax_nopriv_` hook or process them during `admin_init`, unauthenticated attackers can perform administrative actions such as modifying user credit balances or manipulating categories.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php` (or potentially `\u002Fwp-admin\u002Fadmin-post.php` via the Router).\n*   **Action:** `awpcp-users-credit` or `awpcp-users-debit`.\n*   **Authentication:** None (Unauthenticated). The CVSS vector `PR:N` confirms unauthenticated access is possible.\n*   **Preconditions:** The attacker must obtain a valid nonce (e.g., `awpcp_ajax`).\n\n### 3. Code Flow\n1.  The attacker sends a POST request to `admin-ajax.php` with `","The AWP Classifieds plugin for WordPress is vulnerable to unauthorized access to administrative functionality in versions up to 4.4.4. Specifically, the AJAX handler for user credit management fails to perform a capability check, allowing attackers with a valid nonce to add or remove credits from any user account.","\u002F\u002F admin\u002Fadmin-panel-users.php (lines 24-25)\nadd_action('wp_ajax_awpcp-users-credit', array($this, 'ajax'));\nadd_action('wp_ajax_awpcp-users-debit', array($this, 'ajax'));\n\n---\n\n\u002F\u002F admin\u002Fadmin-panel-users.php (lines 108-124)\n    public function ajax() {\n        awpcp_check_admin_ajax();\n\n        $user_id = awpcp_get_var( array( 'param' => 'user', 'default' => 0 ), 'post' );\n        $action  = awpcp_get_var( array( 'param' => 'action' ), 'post' );\n        $action  = str_replace( 'awpcp-users-', '', $action );\n\n        switch ($action) {\n            case 'debit':\n            case 'credit':\n                $response = $this->ajax_edit_balance($user_id, $action);\n                break;\n            default:\n                $response = array();\n                break;\n        }\n\n        header('Content-Type: application\u002Fjson');\n        echo wp_json_encode( $response );\n        exit();\n    }","--- \u002Fadmin\u002Fadmin-panel-users.php\n+++ \u002Fadmin\u002Fadmin-panel-users.php\n@@ -109,6 +109,10 @@\n     public function ajax() {\n         awpcp_check_admin_ajax();\n \n+        if ( ! awpcp_current_user_is_admin() ) {\n+            die();\n+        }\n+\n         $user_id = awpcp_get_var( array( 'param' => 'user', 'default' => 0 ), 'post' );\n         $action  = awpcp_get_var( array( 'param' => 'action' ), 'post' );","The exploit targets the AJAX interface of the AWP Classifieds plugin to modify user credit balances without authorization. \n\n1. **Obtain Nonce:** The attacker must first obtain a valid `awpcp_ajax` nonce. This nonce is localized into the `awpcp-admin-users` script and may be visible to logged-in users on various admin pages or leaked through other plugin interactions.\n2. **Identify Target:** Identify the `user_id` of the account to be modified.\n3. **Craft AJAX Request:** Send a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the following payload:\n    - `action`: `awpcp-users-credit` (to add) or `awpcp-users-debit` (to remove)\n    - `user`: [target user ID]\n    - `amount`: [integer credit amount]\n    - `save`: 1 (to trigger the persistence logic in `ajax_edit_balance`)\n    - `_wpnonce`: [valid awpcp_ajax nonce]\n4. **Execution:** Since the `ajax()` method only calls `awpcp_check_admin_ajax()` (which verifies the nonce) but lacks a `current_user_can()` check, the credits will be added\u002Fremoved from the target user account despite the attacker lacking administrative permissions.","gemini-3-flash-preview","2026-04-17 20:07:39","2026-04-17 20:08:34",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","4.4.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fanother-wordpress-classifieds-plugin\u002Ftags\u002F4.4.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fanother-wordpress-classifieds-plugin.4.4.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fanother-wordpress-classifieds-plugin\u002Ftags\u002F4.4.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fanother-wordpress-classifieds-plugin.4.4.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fanother-wordpress-classifieds-plugin\u002Ftags"]