CVE-2026-39533: WordPress AWP Classifieds plugin <= 4.4.4 - Broken Access Control vulnerability
Unauthenticated Broken Access Control in AWP Classifieds <= 4.4.4 versions.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Broken access control vulnerability in the AWP Classifieds WordPress plugin (versions 4.4.4 and earlier) allows an unauthenticated remote attacker to reach restricted functionality without logging in. The vulnerability is exploitable over the network with no credentials and no user interaction required. Successful exploitation disrupts service availability, bringing the affected site or plugin functionality down. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection capability for CVE-2026-39533 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including Patchstack, including custom-built images that bundle the AWP Classifieds plugin. Scans run continuously across both registry-stored images and active pipeline builds so new image pushes are checked immediately.
AvailableCVE-2026-39533 is scored at CVSS 7.5 HIGH and HarborGuard surfaces that score alongside per-environment compliance policy weighting to prioritize the finding appropriately within each customer org. Routing rules direct the alert to the team or inbox configured for WordPress plugin vulnerabilities or the relevant workload owner.
AvailableNo fix version has been published upstream for CVE-2026-39533; HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment WPTasty ships a remediated release. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once a fix version exists.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the WordPress site over the network; the plugin's vulnerable endpoint is exposed via standard HTTP/HTTPS with no network-layer restriction implied by the CVSS vector.
- AuthenticationNot required
No account or credentials of any kind are needed; the vulnerability is fully unauthenticated.
- Victim interactionNot required
No user action is required; the attacker sends requests directly to the affected endpoint without any social-engineering step.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race windows, or environmental setup.
Blast Radius
- The attacker crashes or disables the AWP Classifieds plugin functionality, making listings, search, and related pages unavailable to site visitors.
- Repeated or sustained requests can render the affected WordPress site unresponsive, causing a full denial-of-service condition for end users.
- Availability impact is rated HIGH; confidentiality and data integrity are not affected by this vulnerability.
How HarborGuard Handles This
Available on HarborGuard: because no fix version exists yet for CVE-2026-39533, the platform monitors the Patchstack advisory on every ingest cycle and will trigger a patched-image rebuild the moment WPTasty publishes a remediated version of AWP Classifieds. In the interim, compensating controls can reduce exposure: network policy rules that restrict public access to the affected plugin endpoints, web application firewall rules blocking unauthenticated requests to the vulnerable route, and egress filtering to limit blast radius if the denial-of-service condition is chained with other issues. Where compliance policy permits, customers with auto-remediation enabled will receive the rebuilt image, a regression test run, and a PR opened against affected workloads automatically once upstream ships the fix, with no manual steps required.
- WPTasty / AWP Classifieds≤ 4.4.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H