Skip to content
Threat Feed
high advisory

AWP Classifieds WordPress Plugin SQL Injection Vulnerability

The AWP Classifieds plugin for WordPress is vulnerable to SQL Injection via the 'regions' parameter array keys in versions up to, and including, 4.4.5, potentially allowing unauthenticated attackers to extract sensitive information from the database.

The AWP Classifieds plugin for WordPress, a popular plugin used to create classified ads websites, contains a critical SQL Injection vulnerability. This flaw, identified as CVE-2026-5100, affects versions up to and including 4.4.5. The vulnerability resides within the handling of the ‘regions’ parameter array keys, where insufficient input sanitization and inadequate SQL query preparation allow unauthenticated attackers to inject arbitrary SQL code. Successful exploitation of this vulnerability can lead to the unauthorized extraction of sensitive data stored in the WordPress database. Given the widespread use of WordPress and the AWP Classifieds plugin, this vulnerability poses a significant risk to websites relying on the plugin for classifieds functionality.

Attack Chain

  1. An unauthenticated attacker identifies a WordPress website using a vulnerable version of the AWP Classifieds plugin (<=4.4.5).
  2. The attacker crafts a malicious HTTP request targeting the page search functionality.
  3. The attacker injects SQL code into the ‘regions’ parameter array keys within the crafted request.
  4. The vulnerable code fails to properly sanitize the injected SQL code.
  5. The application executes the attacker-controlled SQL query against the WordPress database.
  6. The attacker is able to extract sensitive information, such as user credentials or other confidential data, from the database.
  7. The attacker may use the extracted information to further compromise the WordPress website or related systems.

Impact

Successful exploitation of this SQL Injection vulnerability (CVE-2026-5100) in the AWP Classifieds plugin could allow unauthenticated attackers to extract sensitive information from the affected WordPress database. This may include user credentials, personal data, or other confidential business information. The compromise of this information can lead to identity theft, financial fraud, and reputational damage. There is no victim count available, but all sites running vulnerable versions of this plugin are at risk.

Recommendation

  • Upgrade the AWP Classifieds plugin to the latest version to patch CVE-2026-5100.
  • Deploy the provided Sigma rule Detect AWP Classifieds SQL Injection Attempt to detect exploitation attempts in web server logs.
  • Implement a web application firewall (WAF) with rules to filter out malicious SQL injection payloads targeting the ‘regions’ parameter.
  • Review and harden database access controls to limit the potential impact of successful SQL injection attacks.

Detection coverage 2

Detect AWP Classifieds SQL Injection Attempt

high

Detects potential SQL injection attempts targeting the AWP Classifieds plugin via the 'regions' parameter in web server logs.

sigma tactics: initial_access techniques: T1190 sources: webserver, linux

Detect AWP Classifieds SQL Injection via POST

high

Detects potential SQL injection attempts targeting the AWP Classifieds plugin via the 'regions' parameter using POST method.

sigma tactics: initial_access techniques: T1190 sources: webserver, linux

Detection queries are kept inside the platform. Get full rules →