[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fDFfa4l-OhRQm7NEGpvcf6711hDdoNMBqn4WO5e-8txc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-42726","awp-classifieds-missing-authorization-3","AWP Classifieds \u003C= 4.4.5 - Missing Authorization","The AWP Classifieds plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 4.4.5. This makes it possible for unauthenticated attackers to perform an unauthorized action.","another-wordpress-classifieds-plugin",null,"\u003C=4.4.5","4.4.6","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-12 00:00:00","2026-05-19 13:18:25",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F358a5807-dbe5-4078-aaf3-3edf61c69bba?source=api-prod",8,[22,23,24,25,26,27,28,29],"README.TXT","admin\u002Fadmin-panel.php","admin\u002Fclass-csv-exporter.php","admin\u002Fclass-settings-admin-page.php","admin\u002Fimport\u002Fclass-csv-importer-delegate.php","admin\u002Fimport\u002Fclass-csv-reader.php","admin\u002Ftemplates\u002Fadmin-page.tpl.php","admin\u002Ftemplates\u002Fadmin-panel-credit-plans-entry-form.tpl.php","researched",false,3,"# Research Plan: CVE-2026-42726 - AWP Classifieds Missing Authorization\n\n## 1. Vulnerability Summary\nThe **AWP Classifieds** plugin (versions \u003C= 4.4.5) contains a missing authorization vulnerability within its administrative AJAX handlers. Specifically, several functions registered via `wp_ajax_` (and potentially exposed via `admin_init`) fail to perform a capability check (e.g., `current_user_can( 'manage_options' )`). This allows unauthenticated users to perform administrative actions such as dismissing critical plugin notices or potentially manipulating plugin states by sending direct requests to `admin-ajax.php`.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `disable-quick-start-guide-notice` (and potentially `disable-widget-modification-notice`)\n- **Method:** POST or GET\n- **Authentication:** None required (unauthenticated). \n- **Preconditions:** The plugin must be active. The specific notice must be \"active\" in the database for the change to be observable.\n\n## 3. Code Flow\n1.  **Hook Registration:** In `admin\u002Fadmin-panel.php`, the `AWPCP_AdminPanel` class constructor registers AJAX actions:\n    ```php\n    add_action('wp_ajax_disable-quick-start-guide-notice', array($this, 'disable_quick_start_guide_notice'));\n    add_action('wp","The AWP Classifieds plugin for WordPress is vulnerable to unauthorized dismissal of administrative notices in versions up to and including 4.4.5. This occurs because the plugin handles notice-dismissal actions via the admin_init hook or AJAX handlers without performing proper capability checks or nonce verification, allowing unauthenticated attackers to site-wide disable setup and configuration notices.","\u002F\u002F admin\u002Fadmin-panel.php line 38-42\nadd_action('wp_ajax_disable-quick-start-guide-notice', array($this, 'disable_quick_start_guide_notice'));\nadd_action('wp_ajax_disable-widget-modification-notice', array($this, 'disable_widget_modification_notice'));\n\nadd_action('admin_init', array($this, 'init'));","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fanother-wordpress-classifieds-plugin\u002F4.4.5\u002Fadmin\u002Fadmin-panel.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fanother-wordpress-classifieds-plugin\u002F4.4.6\u002Fadmin\u002Fadmin-panel.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fanother-wordpress-classifieds-plugin\u002F4.4.5\u002Fadmin\u002Fadmin-panel.php\t2026-03-10 08:10:14.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fanother-wordpress-classifieds-plugin\u002F4.4.6\u002Fadmin\u002Fadmin-panel.php\t2026-04-29 09:01:34.000000000 +0000\n@@ -416,7 +416,7 @@\n          *\u002F\n         $show_quick_start_quide_notice = apply_filters( 'awpcp-show-quick-start-guide-notice', $show_quick_start_quide_notice );\n \n-        if ( $show_quick_start_quide_notice && is_awpcp_admin_page() && ! $show_drip_autoresponder ) {\n+        if ( $show_quick_start_quide_notice && awpcp_is_admin_page() && ! $show_drip_autoresponder ) {\n             wp_enqueue_style( 'awpcp-admin-style' );\n \n             include AWPCP_DIR . '\u002Fadmin\u002Ftemplates\u002Fadmin-quick-start-guide-notice.tpl.php';\n... (truncated)","To exploit this vulnerability, an attacker can target the admin-ajax.php endpoint. Since the plugin processes certain actions within the admin_init hook—which executes for all requests to administrative scripts including for unauthenticated users—an attacker can send a GET or POST request with the 'action' parameter set to 'disable-quick-start-guide-notice' or 'disable-widget-modification-notice'. Because the corresponding handler functions fail to verify if the user has the 'manage_options' capability or check for a valid security nonce, the plugin will proceed to update the database options (e.g., 'awpcp-show-quick-start-guide-notice'), effectively dismissing the administrative notices site-wide for all legitimate administrators.","gemini-3-flash-preview","2026-05-20 18:13:57","2026-05-20 18:15:40",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","4.4.5","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fanother-wordpress-classifieds-plugin\u002Ftags\u002F4.4.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fanother-wordpress-classifieds-plugin.4.4.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fanother-wordpress-classifieds-plugin\u002Ftags\u002F4.4.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fanother-wordpress-classifieds-plugin.4.4.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fanother-wordpress-classifieds-plugin\u002Ftags"]