AWP Classifieds <= 4.4.5 - Missing Authorization
Description
The AWP Classifieds plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 4.4.5. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=4.4.5What Changed in the Fix
Changes introduced in v4.4.6
Source Code
WordPress.org SVN# Research Plan: CVE-2026-42726 - AWP Classifieds Missing Authorization ## 1. Vulnerability Summary The **AWP Classifieds** plugin (versions <= 4.4.5) contains a missing authorization vulnerability within its administrative AJAX handlers. Specifically, several functions registered via `wp_ajax_` (a…
Show full research plan
Research Plan: CVE-2026-42726 - AWP Classifieds Missing Authorization
1. Vulnerability Summary
The AWP Classifieds plugin (versions <= 4.4.5) contains a missing authorization vulnerability within its administrative AJAX handlers. Specifically, several functions registered via wp_ajax_ (and potentially exposed via admin_init) fail to perform a capability check (e.g., current_user_can( 'manage_options' )). This allows unauthenticated users to perform administrative actions such as dismissing critical plugin notices or potentially manipulating plugin states by sending direct requests to admin-ajax.php.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
disable-quick-start-guide-notice(and potentiallydisable-widget-modification-notice) - Method: POST or GET
- Authentication: None required (unauthenticated).
- Preconditions: The plugin must be active. The specific notice must be "active" in the database for the change to be observable.
3. Code Flow
- Hook Registration: In
admin/admin-panel.php, theAWPCP_AdminPanelclass constructor registers AJAX actions:add_action('wp_ajax_disable-quick-start-guide-notice', array($this, 'disable_quick_start_guide_notice')); add_action('wp
Summary
The AWP Classifieds plugin for WordPress is vulnerable to unauthorized dismissal of administrative notices in versions up to and including 4.4.5. This occurs because the plugin handles notice-dismissal actions via the admin_init hook or AJAX handlers without performing proper capability checks or nonce verification, allowing unauthenticated attackers to site-wide disable setup and configuration notices.
Vulnerable Code
// admin/admin-panel.php line 38-42 add_action('wp_ajax_disable-quick-start-guide-notice', array($this, 'disable_quick_start_guide_notice')); add_action('wp_ajax_disable-widget-modification-notice', array($this, 'disable_widget_modification_notice')); add_action('admin_init', array($this, 'init'));
Security Fix
@@ -416,7 +416,7 @@ */ $show_quick_start_quide_notice = apply_filters( 'awpcp-show-quick-start-guide-notice', $show_quick_start_quide_notice ); - if ( $show_quick_start_quide_notice && is_awpcp_admin_page() && ! $show_drip_autoresponder ) { + if ( $show_quick_start_quide_notice && awpcp_is_admin_page() && ! $show_drip_autoresponder ) { wp_enqueue_style( 'awpcp-admin-style' ); include AWPCP_DIR . '/admin/templates/admin-quick-start-guide-notice.tpl.php'; ... (truncated)
Exploit Outline
To exploit this vulnerability, an attacker can target the admin-ajax.php endpoint. Since the plugin processes certain actions within the admin_init hook—which executes for all requests to administrative scripts including for unauthenticated users—an attacker can send a GET or POST request with the 'action' parameter set to 'disable-quick-start-guide-notice' or 'disable-widget-modification-notice'. Because the corresponding handler functions fail to verify if the user has the 'manage_options' capability or check for a valid security nonce, the plugin will proceed to update the database options (e.g., 'awpcp-show-quick-start-guide-notice'), effectively dismissing the administrative notices site-wide for all legitimate administrators.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.