CVE-2026-42726

AWP Classifieds <= 4.4.5 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
4.4.6
Patched in
8d
Time to patch

Description

The AWP Classifieds plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 4.4.5. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.4.5
PublishedMay 12, 2026
Last updatedMay 19, 2026

What Changed in the Fix

Changes introduced in v4.4.6

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Research Plan: CVE-2026-42726 - AWP Classifieds Missing Authorization ## 1. Vulnerability Summary The **AWP Classifieds** plugin (versions <= 4.4.5) contains a missing authorization vulnerability within its administrative AJAX handlers. Specifically, several functions registered via `wp_ajax_` (a…

Show full research plan

Research Plan: CVE-2026-42726 - AWP Classifieds Missing Authorization

1. Vulnerability Summary

The AWP Classifieds plugin (versions <= 4.4.5) contains a missing authorization vulnerability within its administrative AJAX handlers. Specifically, several functions registered via wp_ajax_ (and potentially exposed via admin_init) fail to perform a capability check (e.g., current_user_can( 'manage_options' )). This allows unauthenticated users to perform administrative actions such as dismissing critical plugin notices or potentially manipulating plugin states by sending direct requests to admin-ajax.php.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: disable-quick-start-guide-notice (and potentially disable-widget-modification-notice)
  • Method: POST or GET
  • Authentication: None required (unauthenticated).
  • Preconditions: The plugin must be active. The specific notice must be "active" in the database for the change to be observable.

3. Code Flow

  1. Hook Registration: In admin/admin-panel.php, the AWPCP_AdminPanel class constructor registers AJAX actions:
    add_action('wp_ajax_disable-quick-start-guide-notice', array($this, 'disable_quick_start_guide_notice'));
    add_action('wp
    
Research Findings
Static analysis — not yet PoC-verified

Summary

The AWP Classifieds plugin for WordPress is vulnerable to unauthorized dismissal of administrative notices in versions up to and including 4.4.5. This occurs because the plugin handles notice-dismissal actions via the admin_init hook or AJAX handlers without performing proper capability checks or nonce verification, allowing unauthenticated attackers to site-wide disable setup and configuration notices.

Vulnerable Code

// admin/admin-panel.php line 38-42
add_action('wp_ajax_disable-quick-start-guide-notice', array($this, 'disable_quick_start_guide_notice'));
add_action('wp_ajax_disable-widget-modification-notice', array($this, 'disable_widget_modification_notice'));

add_action('admin_init', array($this, 'init'));

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/another-wordpress-classifieds-plugin/4.4.5/admin/admin-panel.php /home/deploy/wp-safety.org/data/plugin-versions/another-wordpress-classifieds-plugin/4.4.6/admin/admin-panel.php
--- /home/deploy/wp-safety.org/data/plugin-versions/another-wordpress-classifieds-plugin/4.4.5/admin/admin-panel.php	2026-03-10 08:10:14.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/another-wordpress-classifieds-plugin/4.4.6/admin/admin-panel.php	2026-04-29 09:01:34.000000000 +0000
@@ -416,7 +416,7 @@
          */
         $show_quick_start_quide_notice = apply_filters( 'awpcp-show-quick-start-guide-notice', $show_quick_start_quide_notice );
 
-        if ( $show_quick_start_quide_notice && is_awpcp_admin_page() && ! $show_drip_autoresponder ) {
+        if ( $show_quick_start_quide_notice && awpcp_is_admin_page() && ! $show_drip_autoresponder ) {
             wp_enqueue_style( 'awpcp-admin-style' );
 
             include AWPCP_DIR . '/admin/templates/admin-quick-start-guide-notice.tpl.php';
... (truncated)

Exploit Outline

To exploit this vulnerability, an attacker can target the admin-ajax.php endpoint. Since the plugin processes certain actions within the admin_init hook—which executes for all requests to administrative scripts including for unauthenticated users—an attacker can send a GET or POST request with the 'action' parameter set to 'disable-quick-start-guide-notice' or 'disable-widget-modification-notice'. Because the corresponding handler functions fail to verify if the user has the 'manage_options' capability or check for a valid security nonce, the plugin will proceed to update the database options (e.g., 'awpcp-show-quick-start-guide-notice'), effectively dismissing the administrative notices site-wide for all legitimate administrators.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.