CVE-2026-5100 - Vulnerability Details

Description

The AWP Classifieds plugin for WordPress is vulnerable to SQL Injection via the 'regions' parameter array keys in versions up to, and including, 4.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Published: 2026-05-05

Score: 7.5 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The AWP Classifieds WordPress plugin (strategy11team:AWP Classifieds) is affected by a vulnerability that allows unauthenticated attackers to inject arbitrary SQL through the 'regions' parameter array keys. Because the code fails to escape user input and does not prepare the query properly, malicious requests can cause the plugin to concatenate additional SQL statements into the existing SELECT queries. An attacker could therefore read or modify database contents, leading to confidentiality or integrity compromise.

Affected Systems

All installations of the AWP Classifieds plugin up to and including version 4.4.5 are vulnerable. The vulnerability is present in the plugin’s core files and list‑query integration, which are used by sites running this plugin. Majority of WordPress sites that have not yet upgraded beyond 4.4.5 remain exposed.

Risk and Exploitability

The plugin’s CVSS score of 7.5 reflects a high severity remote exploitation risk. EPSS data is not available, so the precise likelihood of exploitation cannot be quantified, but the lack of authentication requirements makes the attack vector straightforward: a crafted HTTP request containing the 'regions' parameter is sufficient. The vulnerability is not listed in CISA’s KEV catalog, yet its critical nature warrants immediate action.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

strategy11team

AWP Classifieds

unaffected

Version	Status	Constraints
`0`	affected	≤ 4.4.5

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the AWP Classifieds plugin to the latest available version that addresses the SQL Injection flaw, confirming the fix by comparing the plugin’s version number or checksum against the vendor release notes.
If an immediate upgrade is not feasible, limit unauthenticated access to the plugin’s search endpoints that accept the 'regions' parameter by applying web‑application firewall rules, rewrites, or .htaccess restrictions so that only authenticated users may send requests to those URLs.
Conduct a thorough security assessment of the WordPress site to identify other possible injection points, replace any remaining unsafe database queries with prepared statements, and verify that all user inputs are properly sanitized before use in SQL statements.

Generated by OpenCVE AI on May 5, 2026 at 03:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/frontend/page-search-ads.php#L168
https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/frontend/page-search-ads.php#L174
https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/frontend/page-search-ads.php#L63
https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/frontend/page-search-ads.php#L70
https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/functions.php#L1240
https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/functions.php#L1258
https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/functions.php#L1269
https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/functions.php#L1276
https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/class-awpcp.php#L339
https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/class-awpcp.php#L342
https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L795
https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L804
https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L881
https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L887
https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L890
https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L895
https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L902
https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L903
https://www.wordfence.com/threat-intel/vulnerabilities/id/7908d167-f831-4ed0-b754-2b390b5c3b2c?source=cve

History

Tue, 05 May 2026 02:45:00 +0000

Type	Values Removed	Values Added
Description		The AWP Classifieds plugin for WordPress is vulnerable to SQL Injection via the 'regions' parameter array keys in versions up to, and including, 4.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title		AWP Classifieds <= 4.4.5 - Unauthenticated SQL Injection via 'regions'
Weaknesses		CWE-89
References		https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/frontend/page-search-ads.php#L168 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/frontend/page-search-ads.php#L174 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/frontend/page-search-ads.php#L63 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/frontend/page-search-ads.php#L70 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/functions.php#L1240 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/functions.php#L1258 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/functions.php#L1269 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/functions.php#L1276 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/class-awpcp.php#L339 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/class-awpcp.php#L342 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L795 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L804 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L881 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L887 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L890 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L895 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L902 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L903 https://www.wordfence.com/threat-intel/vulnerabilities/id/7908d167-f831-4ed0-b754-2b390b5c3b2c?source=cve
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-05-05T02:26:55.631Z

Updated: 2026-05-05T02:26:55.631Z

Reserved: 2026-03-29T14:10:38.249Z

Link: CVE-2026-5100

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-05T03:15:59.730

Modified: 2026-05-05T03:15:59.730

Link: CVE-2026-5100

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-05T03:30:14Z

Weaknesses

CWE-89

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object