CVE-2026-39533

Vulnerability

AWP Classifieds plugin for WordPress versions up to 4.4.4 contains a broken access control vulnerability due to missing authorization or authentication checks in a function, allowing unauthenticated users to execute actions reserved for higher privileged roles [1]. The specific function lacks nonce token or capability checks, making the code path reachable without any prior authentication.

Exploitation

An attacker with no authentication or any special network position can send crafted HTTP requests to the vulnerable endpoint. No user interaction or race window is required. The attacker simply needs to access the exposed function that should be protected by authorization; the missing check allows the request to succeed [1].

Impact

Successful exploitation leads to unauthorized execution of privileged actions, which can result in information disclosure, modification of data, or further compromise of the WordPress installation. The CVSS score of 7.5 indicates high severity, and the vulnerability is expected to be used in mass exploitation campaigns [1].

Mitigation

Update to version 4.4.5 or later, released to resolve the vulnerability [1]. If unable to update immediately, apply a mitigation rule from Patchstack to block attacks until the update is deployed. Consider enabling auto-updates for vulnerable plugins if using Patchstack [1].