Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2026-27092: WPAdverts – Classifieds Plugin <= 2.2.11 – Missing Authorization (wpadverts)

CVE ID CVE-2026-27092
Plugin wpadverts
Severity Medium (CVSS 4.3)
CWE 862
Vulnerable Version 2.2.11
Patched Version 2.3.0
Disclosed January 6, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-27092:
The vulnerability is a missing authorization check in the WPAdverts – Classifieds Plugin for WordPress, affecting versions up to and including 2.2.11. This flaw allows authenticated attackers with contributor-level permissions or higher to perform unauthorized actions. The CVSS score of 4.3 reflects a medium severity issue.

Atomic Edge research identifies the root cause in the `adext_contact_form_send` hook execution within the file `wpadverts/addons/contact-form/contact-form.php`. The code at line 136 executes the hook without verifying the user’s capability to perform the associated action. The function `adext_contact_form_delete_tmp_files` is subsequently called using a user-controlled `uniqid` parameter retrieved via `adverts_request`. The vulnerability stems from the absence of a capability check, such as `current_user_can`, before the `do_action` call.

An attacker exploits this by crafting a POST request to a WordPress AJAX endpoint or admin-post handler that triggers the `adext_contact_form_send` action. The attacker must be authenticated with at least contributor-level access. The payload includes the parameter `wpadverts-form-upload-uniqid` to specify which temporary files to delete. The request may also require a valid `_wpadverts_checksum` parameter. The exact endpoint is not visible in the diff, but typical WordPress patterns involve `admin-ajax.php` with an `action` parameter or `admin-post.php`.

The patch in version 2.3.0 does not directly address the missing authorization. The diff shows changes to file handling logic and template restrictions, but no added capability check. The primary fix for the missing authorization is not present in the provided code diff. Atomic Edge analysis concludes the patched version likely adds a capability check elsewhere in the codebase not shown in this diff. The visible changes improve input validation for the `uniqid` parameter by adding a type check and sanitization guard.

Successful exploitation allows unauthorized deletion of temporary uploaded files associated with other users’ classified ad submissions. This constitutes a data integrity and availability issue. Attackers can disrupt the normal operation of the contact form feature, potentially causing denial-of-service for specific users by deleting their pending file uploads. The impact is limited to the plugin’s temporary file storage and does not grant full system access.

Differential between vulnerable and patched code

Code Diff 
--- a/wpadverts/addons/contact-form/contact-form.php
+++ b/wpadverts/addons/contact-form/contact-form.php
@@ -136,8 +136,11 @@
             do_action( "adext_contact_form_send", $post_id, $form );

             // delete uploaded files ($form)
-            $uniqid = sanitize_file_name( adverts_request( "wpadverts-form-upload-uniqid" ) );
-            adext_contact_form_delete_tmp_files( $form->get_scheme(), $uniqid );
+            $request_uniqid = adverts_request( "wpadverts-form-upload-uniqid" );
+            if( is_string( $request_uniqid ) ) {
+                $uniqid = sanitize_file_name( $request_uniqid );
+                adext_contact_form_delete_tmp_files( $form->get_scheme(), $uniqid );
+            }

             $bind = array();
             $bind["_wpadverts_checksum"] = adverts_request( "_wpadverts_checksum" );
--- a/wpadverts/includes/functions.php
+++ b/wpadverts/includes/functions.php
@@ -2154,7 +2154,7 @@
     // the user's options are the third parameter
     if ( empty($args[2]['walker']) || !is_a($args[2]['walker'], 'Walker') ) {
         include_once ADVERTS_PATH . '/includes/class-walker-category-options.php';
-        $walker = new Adverts_Walker_Category_Dropdown;
+        $walker = new Adverts_Walker_Category_Options;
     } else {
         $walker = $args[2]['walker'];
     }
--- a/wpadverts/includes/shortcodes.php
+++ b/wpadverts/includes/shortcodes.php
@@ -725,5 +725,15 @@
         return sprintf( "<strong>ERROR</strong> Only posts of type %s are allowed (%s given).", join(", ", $allowed_types), esc_html( $post->post_type ) );
     }

+    $allowed_stats = ["publish"];
+
+    if( apply_filters( "wpadverts_allow_draft_templates", false ) === true ) {
+        $allowed_stats[] = "draft";
+    }
+
+    if( !in_array( $post->post_status, $allowed_stats ) ) {
+        return sprintf( "<strong>ERROR</strong> Only pages with status '%s' can be used as templates.", join( "', '", $allowed_stats ) );
+    }
+
     return do_blocks( $post->post_content );
 }
 No newline at end of file
--- a/wpadverts/wpadverts.php
+++ b/wpadverts/wpadverts.php
@@ -6,7 +6,7 @@
  * Author: Greg Winiarski
  * Text Domain: wpadverts
  * Domain Path: /languages
- * Version: 2.2.11
+ * Version: 2.3.0
  *
  * Adverts is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -70,7 +70,7 @@
         'hide_images_in_media_library' => 0,
         'delete_from_media_library' => 0,
         'adverts_manage_moderate' => 0,
-        'block_date_format' => 'd/m/Y'
+        'block_date_format' => 'd/m/Y',

     )
 );

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School