Medium severity6.5NVD Advisory· Published May 27, 2026

CVE-2026-42726

Description

Missing Authorization vulnerability in Strategy11 Team AWP Classifieds another-wordpress-classifieds-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AWP Classifieds: from n/a through <= 4.4.5.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The AWP Classifieds plugin for WordPress (≤ 4.4.5) has a missing authorization flaw that lets unprivileged attackers access or modify restricted resources.

Vulnerability

A missing authorization vulnerability exists in the Strategy11 Team AWP Classifieds plugin for WordPress (another-wordpress-classifieds-plugin) versions from n/a through 4.4.5 [1]. The plugin fails to properly enforce access control checks, allowing exploitation of incorrectly configured access control security levels. This broken access control issue enables unprivileged users to bypass authorization and perform higher-privileged actions [1].

Exploitation

An attacker can exploit this vulnerability without needing any special privileges or authentication, as the missing authorization check allows direct access to restricted functions or endpoints [1]. The attack is remotely exploitable over the network and does not require user interaction. The vulnerability is expected to be used in mass-exploit campaigns targeting thousands of websites [1].

Impact

Successful exploitation allows an unprivileged attacker to execute higher-privileged actions, potentially leading to unauthorized access, modification, or disclosure of sensitive data [1]. The vulnerability has a CVSS v3 score of 6.5 (Medium) [1].

Mitigation

The vulnerability is fixed in version 4.4.6 of the plugin [1]. Users are advised to update to version 4.4.6 or later immediately. If unable to update, users can ask their hosting provider or web developer for assistance, or use Patchstack's mitigation rules to block attacks until a patch is applied [1].

References

Broken Access Control in WordPress AWP Classifieds Plugin

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

WordPress/Another Wordpress Classifieds Plugininferred2 versions
<= 4.4.5+ 1 more
- (no CPE)range: <= 4.4.5
- (no CPE)range: <=4.4.5
Package: https://wordpress.org/plugins/another-wordpress-classifieds-plugin

Patches

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

patchstack.com/database/Wordpress/Plugin/another-wordpress-classifieds-plugin/vulnerability/wordpress-awp-classifieds-plugin-4-4-5-broken-access-control-vulnerabilitynvd

News mentions

No linked articles in our index yet.

cvss	0.423
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000