{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/awp-classifieds-plugin-for-wordpress--4.4.5/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-5100"}],"_cs_exploited":false,"_cs_products":["AWP Classifieds plugin for WordPress (\u003c= 4.4.5)"],"_cs_severities":["high"],"_cs_tags":["sql-injection","wordpress","plugin"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe AWP Classifieds plugin for WordPress, a popular plugin used to create classified ads websites, contains a critical SQL Injection vulnerability. This flaw, identified as CVE-2026-5100, affects versions up to and including 4.4.5. The vulnerability resides within the handling of the \u0026lsquo;regions\u0026rsquo; parameter array keys, where insufficient input sanitization and inadequate SQL query preparation allow unauthenticated attackers to inject arbitrary SQL code. Successful exploitation of this vulnerability can lead to the unauthorized extraction of sensitive data stored in the WordPress database. Given the widespread use of WordPress and the AWP Classifieds plugin, this vulnerability poses a significant risk to websites relying on the plugin for classifieds functionality.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress website using a vulnerable version of the AWP Classifieds plugin (\u0026lt;=4.4.5).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the page search functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker injects SQL code into the \u0026lsquo;regions\u0026rsquo; parameter array keys within the crafted request.\u003c/li\u003e\n\u003cli\u003eThe vulnerable code fails to properly sanitize the injected SQL code.\u003c/li\u003e\n\u003cli\u003eThe application executes the attacker-controlled SQL query against the WordPress database.\u003c/li\u003e\n\u003cli\u003eThe attacker is able to extract sensitive information, such as user credentials or other confidential data, from the database.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the extracted information to further compromise the WordPress website or related systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL Injection vulnerability (CVE-2026-5100) in the AWP Classifieds plugin could allow unauthenticated attackers to extract sensitive information from the affected WordPress database. This may include user credentials, personal data, or other confidential business information. The compromise of this information can lead to identity theft, financial fraud, and reputational damage. There is no victim count available, but all sites running vulnerable versions of this plugin are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the AWP Classifieds plugin to the latest version to patch CVE-2026-5100.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect AWP Classifieds SQL Injection Attempt\u003c/code\u003e to detect exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eImplement a web application firewall (WAF) with rules to filter out malicious SQL injection payloads targeting the \u0026lsquo;regions\u0026rsquo; parameter.\u003c/li\u003e\n\u003cli\u003eReview and harden database access controls to limit the potential impact of successful SQL injection attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-05T03:15:59Z","date_published":"2026-05-05T03:15:59Z","id":"/briefs/2026-05-awp-classifieds-sqli/","summary":"The AWP Classifieds plugin for WordPress is vulnerable to SQL Injection via the 'regions' parameter array keys in versions up to, and including, 4.4.5, potentially allowing unauthenticated attackers to extract sensitive information from the database.","title":"AWP Classifieds WordPress Plugin SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-awp-classifieds-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed — AWP Classifieds Plugin for WordPress (\u003c= 4.4.5)","version":"https://jsonfeed.org/version/1.1"}