Medium severity advisory (CVSS 5.3): RockPress (WordPress plugin slug: ft-rockpress) versions 1.0.17 and earlier are affected by CVE-2026-3550 due to missing authorization checks on multiple AJAX actions. CVE record: https://www.cve.org/CVERecord?id=CVE-2026-3550.
Attack Vectors
An attacker with any authenticated WordPress account (including low-privilege roles such as Subscriber) may be able to call RockPress AJAX endpoints that were intended for higher-privilege users.
The exposure is amplified because RockPress enqueues its rockpress-admin script broadly across admin pages (including profile.php) without restricting by page or user capability, and the related security nonce is exposed to all authenticated users in that context.
Reported affected AJAX actions include: rockpress_import, rockpress_import_status, rockpress_last_import, rockpress_reset_import, and rockpress_check_services.
Security Weakness
This issue is a Missing Authorization weakness: the plugin does not consistently verify whether the requesting user has the appropriate permissions (capabilities) to perform sensitive administrative actions through AJAX.
In practice, exposing a nonce to all authenticated users is not sufficient protection when the server-side actions do not also enforce role/capability checks. As a result, users who should not have access can potentially trigger or influence RockPress operational workflows.
Technical or Business Impacts
Unauthorized operational changes: Low-privilege users may be able to start, reset, or query import-related processes and service checks via RockPress AJAX actions. Even when the integrity impact is considered “limited” (per CVSS), it can still introduce unwanted changes and administrative churn.
Marketing and content risk: If RockPress is used to import or manage content, unauthorized triggering or resetting of imports can lead to inconsistent publishing states, incorrect on-site information, or disrupted campaign timelines—creating brand and customer-trust risk.
Compliance and audit concerns: When non-admin users can influence site processes beyond their job role, it can weaken internal controls and complicate auditability (who changed what, and why), especially in regulated environments.
Similar Attacks
Authorization gaps in WordPress plugins are a common root cause behind real-world site incidents. Examples include:
Wordfence: WP GDPR Compliance plugin vulnerability (privilege/authorization issue)
CVE record: Ultimate Member privilege escalation (CVE-2020-11716)
Remediation
Update RockPress to version 1.0.18 or newer, which contains the patch for this authorization issue.
As a business safeguard, also review who has access to authenticated accounts (including temporary contractors and dormant users), and remove or downgrade accounts that are not required. This reduces exposure when vulnerabilities depend on “any logged-in user.”
Source advisory: https://www.wordfence.com/threat-intel/vulnerabilities/id/d5031631-9f12-47d3-997d-4418d348ab40
Recent Comments