WordPress Plugin Vulnerabilities

WPAdverts – Classifieds Plugin < 2.3.1 - Missing Authorization

Description

The WPAdverts – Classifieds Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.3.0. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Affects Plugins

Plugin icon
wpadverts
Fixed in 2.3.1

References

CVE
CVE-2026-40782
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/8f82ad33-8c9b-47f8-b02b-013b4112c914

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
TheNetRunner Security Research
Verified
No
WPVDB ID
e6054f80-4746-435b-b74b-d4abca5b474c

Timeline

Publicly Published
2026-04-22 (about 1 month ago)
Added
2026-04-30 (about 25 days ago)
Last Updated
2026-04-30 (about 25 days ago)

Other

Published
Title
Published
2025-03-31
Title
ACME Divi Modules <= 1.3.5 - Missing Authorization
Published
2024-11-12
Title
Buy one click WooCommerce <= 2.2.9 - Missing Authorization to Authenticated (Subscriber+) Settings Export
Published
2024-02-22
Title
Admin side data storage for Contact Form 7 <= 1.1.1 - Missing Authorization to Unauthenticated Bookmark Status Alteration
Published
2024-09-30
Title
Popup Maker < 1.20.0 - Missing Authorization
Published
2023-10-24
Title
Mediabay <= 1.6 - Missing Authorization via AJAC actions