{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27092", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-17T13:24:05.456Z", "datePublished": "2026-02-19T08:27:11.805Z", "dateUpdated": "2026-04-28T16:15:01.646Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wpadverts", "product": "WPAdverts", "vendor": "Greg Winiarski", "versions": [{"lessThanOrEqual": "2.3.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "theviper17 | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:14.101Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Greg Winiarski WPAdverts wpadverts allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WPAdverts: from n/a through <= 2.3.0.</p>"}], "value": "Missing Authorization vulnerability in Greg Winiarski WPAdverts wpadverts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPAdverts: from n/a through <= 2.3.0."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:01.646Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wpadverts/vulnerability/wordpress-wpadverts-plugin-2-2-11-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress WPAdverts plugin <= 2.3.0 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T16:48:16.464641Z", "id": "CVE-2026-27092", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T15:56:25.285Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27092", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T16:48:16.464641Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T16:48:09.449Z"}}], "cna": {"title": "WordPress WPAdverts plugin <= 2.3.0 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "theviper17 | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Greg Winiarski", "product": "WPAdverts", "versions": [{"status": "affected", "changes": [{"at": "2.3.1", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "2.3.0"}], "packageName": "wpadverts", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-28T13:26:56.971Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/wpadverts/vulnerability/wordpress-wpadverts-plugin-2-2-11-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Greg Winiarski WPAdverts wpadverts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPAdverts: from n/a through <= 2.3.0.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Greg Winiarski WPAdverts wpadverts allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WPAdverts: from n/a through <= 2.3.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:50.674Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27092", "state": "PUBLISHED", "dateUpdated": "2026-04-28T15:56:25.285Z", "dateReserved": "2026-02-17T13:24:05.456Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-19T08:27:11.805Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Greg Winiarski WPAdverts wpadverts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPAdverts: from n/a through <= 2.3.0."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Greg Winiarski WPAdverts wpadverts permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a WPAdverts: desde n/a hasta &lt;= 2.2.11."}], "id": "CVE-2026-27092", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T09:16:28.063", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wpadverts/vulnerability/wordpress-wpadverts-plugin-2-2-11-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.2.11]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WPAdverts", "source": "cna", "vendor": "Greg Winiarski"}, "product": "wpadverts", "vendor": "greg_winiarski"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T00:05:18.660884+00:00", "value": {"mitigation_remediation": ["Update WPAdverts to the latest officially released version", "If an immediate update is not possible, restrict access to the plugin\u2019s administrative pages using web\u2011application firewall rules or authentication controls", "Verify that only users with the appropriate WordPress roles can edit or delete adverts, and monitor access logs for abnormal activity"], "summary": {"action": "Apply Patch", "impact": "Unauthorized privileged action"}, "threat_synthesis": {"affected_systems": "The issue impacts the WPAdverts plugin developed by Greg Winiarski. All installed versions up to and including 2.3.0 are affected. The product is a WordPress extension that manages classified ads on a site.", "description_and_impact": "A missing authorization flaw in the WordPress WPAdverts plugin enables an attacker to perform actions that should be restricted. The vulnerability allows exploitation of incorrectly configured access control security levels, potentially permitting the creation, modification or deletion of advert entries and other administrative functions that normally require higher privileges.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate severity, but the EPSS score of less than 1% suggests that real\u2011world exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. The probable attack vector is a remote web\u2011based exploit, inferred from the plugin\u2019s nature and the lack of a local requirement mentioned in the description. If an attacker can reach the plugin\u2019s administrative interface or trigger its functionality, the missing access control could be leveraged to obtain unauthorized data manipulation rights."}}}}, "created": "2026-02-20T10:07:58.302870+00:00", "updated": "2026-04-16T00:15:18.634221+00:00", "vendors": ["greg_winiarski", "greg_winiarski$PRODUCT$wpadverts", "wordpress", "wordpress$PRODUCT$wordpress"]}