Description
Missing Authorization vulnerability in Strategy11 Team AWP Classifieds another-wordpress-classifieds-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AWP Classifieds: from n/a through <= 4.4.5.
Published: 2026-05-27
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Based on the description, the vulnerability is a missing authorization flaw in the Strategy11 Team AWP Classifieds WordPress plugin. Attackers who can reach the plugin’s administrative interfaces can bypass normal access controls and perform unauthorized editing, deletion, or creation of classified listings. This compromise can lead to data tampering, integrity violations, and possible disclosure of user‑generated content. The weakness is identified as CWE‑862, indicating a failure to restrict privileged functions.

Affected Systems

The flaw exists in all releases of the AWP Classifieds plugin up to and including version 4.4.5. Any WordPress site that has the plugin installed with that or an older version is potentially affected. Versions newer than 4.4.5 are not impacted.

Risk and Exploitability

The CVSS score of 6.5 denotes a moderate severity risk. The EPSS score is not available, so the exploitation probability is unknown. The vulnerability is not listed in the CISA KEV catalog, indicating no publicly verified exploits. Based on the description, it is inferred that attackers can exploit the flaw via the plugin’s web interface after authenticating or by leveraging misconfigured default access groups. When non‑admin users are granted administrative‑level privileges by the plugin, the risk is higher and could facilitate fraud or content sabotage.

Generated by OpenCVE AI on May 27, 2026 at 11:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the AWP Classifieds plugin to version 4.4.6 or later where the access‑control issue is fixed.
  • If an upgrade is not immediately feasible, restrict the plugin’s write‑level permissions to administrators only and disable any exposed management endpoints for non‑admin accounts.
  • Audit the site’s role and capability configuration, ensuring that only users with the minimum required capabilities can perform CRUD operations on classified listings, and review any custom capability additions.

Generated by OpenCVE AI on May 27, 2026 at 11:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Strategy11 Team AWP Classifieds another-wordpress-classifieds-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AWP Classifieds: from n/a through <= 4.4.5.
Title WordPress AWP Classifieds plugin <= 4.4.5 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-27T10:54:46.207Z

Reserved: 2026-04-29T09:05:20.867Z

Link: CVE-2026-42726

cve-icon Vulnrichment

Updated: 2026-05-27T10:54:41.600Z

cve-icon NVD

Status : Received

Published: 2026-05-27T11:16:18.950

Modified: 2026-05-27T11:16:18.950

Link: CVE-2026-42726

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T12:00:32Z

Weaknesses