Description
The RockPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.17. This is due to missing capability checks on multiple AJAX actions (rockpress_import, rockpress_import_status, rockpress_last_import, rockpress_reset_import, and rockpress_check_services) combined with the plugin's nonce being exposed to all authenticated users via an unconditionally enqueued admin script. The plugin enqueues the 'rockpress-admin' script on all admin pages (including profile.php) without any page or capability restrictions, and the nonce for the 'rockpress-nonce' action is passed to this script via wp_localize_script. Since the AJAX handlers only verify this nonce and do not check current_user_can(), any authenticated user, including Subscribers, can extract the nonce from any admin page's HTML source and use it to trigger imports, reset import data (deleting options), check service connectivity, and read import status information. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger resource-intensive import operations, reset import tracking data, and perform system connection checks that should be restricted to administrators.
Published: 2026-03-20
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data modification via AJAX actions
Action: Patch
AI Analysis

Impact

The RockPress plugin for WordPress contains a missing authorization flaw in all versions up to and including 1.0.17. Several AJAX handlers (rockpress_import, rockpress_import_status, rockpress_last_import, rockpress_reset_import, rockpress_check_services) perform only nonce verification and do not check user capabilities. The plugin permanently enqueues the 'rockpress-admin' script on every admin page, exposing the nonce to any authenticated user. As a result, an attacker who can log in as a Subscriber or higher can extract the nonce from the HTML source and use it to trigger import operations, delete tracking options, force service checks, and read import status. This allows arbitrary modification of the plugin’s data and potentially exhaustion of resources, compromising data integrity and availability. The weakness is classified as CWE-862, Missing Authorization.

Affected Systems

This vulnerability affects the Firetree RockPress plugin for WordPress versions 1.0.17 and earlier. All installations that include these versions are susceptible, regardless of additional configuration. The plugin’s administrative script is enqueued on every admin page, including profile.php, meaning the risk is present for all sites running the vulnerable plugin version.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be an authenticated attacker using a standard user session; the vulnerability does not require remote code execution or network exploitation. The attacker needs a valid login with at least Subscriber privileges, which are commonly granted in many WordPress installations. Once authenticated, extraction of the nonce from any admin page allows the attacker to perform the privileged operations through simple HTTP POST requests to the AJAX handlers.

Generated by OpenCVE AI on March 20, 2026 at 09:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for and install the latest RockPress plugin version that addresses the missing authorization issue.
  • If an immediate upgrade is not feasible, restrict the plugin’s AJAX actions by disabling the 'rockpress-admin' script on all admin pages or by removing the script altogether to stop nonce exposure.
  • Ensure that all authenticated users are provisioned with appropriate capabilities and audit the plugin’s code to confirm that capability checks are enforced on all sensitive AJAX endpoints.
  • Keep the site and all plugins updated, and monitor WordPress security advisories for further updates or zero‑day information.

Generated by OpenCVE AI on March 20, 2026 at 09:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/admin/admin-ajax.php#L33 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/admin/admin-scripts.php#L50 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/admin/admin-scripts.php#L88 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/class-rockpress-import.php#L125 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/class-rockpress-import.php#L145 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/class-rockpress-import.php#L184 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/class-rockpress-import.php#L206 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/ft-rockpress/trunk/includes/admin/admin-ajax.php#L33 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/ft-rockpress/trunk/includes/admin/admin-scripts.php#L50 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/ft-rockpress/trunk/includes/admin/admin-scripts.php#L88 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/ft-rockpress/trunk/includes/class-rockpress-import.php#L125 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/ft-rockpress/trunk/includes/class-rockpress-import.php#L145 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/ft-rockpress/trunk/includes/class-rockpress-import.php#L184 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/ft-rockpress/trunk/includes/class-rockpress-import.php#L206 cve-icon cve-icon
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3477205%40ft-rockpress&new=3477205%40ft-rockpress&sfp_email=&sfph_mail= cve-icon cve-icon
https://www.wordfence.com/threat-intel/vulnerabilities/id/d5031631-9f12-47d3-997d-4418d348ab40?source=cve cve-icon cve-icon
History

Fri, 20 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Firetree
Firetree rockpress
Wordpress
Wordpress wordpress
Vendors & Products Firetree
Firetree rockpress
Wordpress
Wordpress wordpress

Fri, 20 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
Description The RockPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.17. This is due to missing capability checks on multiple AJAX actions (rockpress_import, rockpress_import_status, rockpress_last_import, rockpress_reset_import, and rockpress_check_services) combined with the plugin's nonce being exposed to all authenticated users via an unconditionally enqueued admin script. The plugin enqueues the 'rockpress-admin' script on all admin pages (including profile.php) without any page or capability restrictions, and the nonce for the 'rockpress-nonce' action is passed to this script via wp_localize_script. Since the AJAX handlers only verify this nonce and do not check current_user_can(), any authenticated user, including Subscribers, can extract the nonce from any admin page's HTML source and use it to trigger imports, reset import data (deleting options), check service connectivity, and read import status information. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger resource-intensive import operations, reset import tracking data, and perform system connection checks that should be restricted to administrators.
Title RockPress <= 1.0.17 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via AJAX Actions
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Firetree Rockpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:25:57.418Z

Reserved: 2026-03-04T18:46:43.897Z

Link: CVE-2026-3550

cve-icon Vulnrichment

Updated: 2026-03-20T12:17:22.942Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-20T09:16:16.390

Modified: 2026-03-20T13:37:50.737

Link: CVE-2026-3550

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T16:27:40Z

Weaknesses