WordPress Plugin Vulnerabilities

AWP Classifieds <= 4.4.3 - Unauthenticated Arbitrary Shortcode Execution

Description

The plugin is vulnerable to arbitrary shortcode execution due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

Affects Plugins

Plugin icon
another-wordpress-classifieds-plugin
No known fix

References

CVE
CVE-2025-57928
URL
https://patchstack.com/database/wordpress/plugin/another-wordpress-classifieds-plugin/vulnerability/wordpress-awp-classifieds-plugin-4-3-5-content-injection-vulnerability

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Kishan Vyas
Verified
No
WPVDB ID
249187d7-c634-461c-8c8b-13a713336fa5

Timeline

Publicly Published
2025-09-22 (about 9 months ago)
Added
2025-09-26 (about 9 months ago)
Last Updated
2025-11-24 (about 7 months ago)

Other

Published
Title
Published
2023-03-20
Title
JetEngine < 3.1.3.1 - Author+ Remote Code Execution
Published
2024-10-09
Title
External featured image from bing <= 1.0.2 - Authenticated (Subscriber+) Remote Code Execution
Published
2025-07-10
Title
GB Forms DB < 1.0.3 - Unauthenticated Remote Code Execution
Published
2026-03-16
Title
Post Snippets – Custom WordPress Code Snippets Customizer < 4.0.13 - Authenticated (Contributor+) Remote Code Execution
Published
2026-01-15
Title
Event Tickets with Ticket Scanner < 2.8.6 - Unauthenticated Remote Code Execution