CVE-2026-3550 - Vulnerability Details

Link	Providers
https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/admin/admin-ajax.php#L33
https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/admin/admin-scripts.php#L50
https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/admin/admin-scripts.php#L88
https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/class-rockpress-import.php#L125
https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/class-rockpress-import.php#L145
https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/class-rockpress-import.php#L184
https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/class-rockpress-import.php#L206
https://plugins.trac.wordpress.org/browser/ft-rockpress/trunk/includes/admin/admin-ajax.php#L33
https://plugins.trac.wordpress.org/browser/ft-rockpress/trunk/includes/admin/admin-scripts.php#L50
https://plugins.trac.wordpress.org/browser/ft-rockpress/trunk/includes/admin/admin-scripts.php#L88
https://plugins.trac.wordpress.org/browser/ft-rockpress/trunk/includes/class-rockpress-import.php#L125
https://plugins.trac.wordpress.org/browser/ft-rockpress/trunk/includes/class-rockpress-import.php#L145
https://plugins.trac.wordpress.org/browser/ft-rockpress/trunk/includes/class-rockpress-import.php#L184
https://plugins.trac.wordpress.org/browser/ft-rockpress/trunk/includes/class-rockpress-import.php#L206
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3477205%40ft-rockpress&new=3477205%40ft-rockpress&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/d5031631-9f12-47d3-997d-4418d348ab40?source=cve

Type	Values Removed	Values Added
Description		The RockPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.17. This is due to missing capability checks on multiple AJAX actions (rockpress_import, rockpress_import_status, rockpress_last_import, rockpress_reset_import, and rockpress_check_services) combined with the plugin's nonce being exposed to all authenticated users via an unconditionally enqueued admin script. The plugin enqueues the 'rockpress-admin' script on all admin pages (including profile.php) without any page or capability restrictions, and the nonce for the 'rockpress-nonce' action is passed to this script via wp_localize_script. Since the AJAX handlers only verify this nonce and do not check current_user_can(), any authenticated user, including Subscribers, can extract the nonce from any admin page's HTML source and use it to trigger imports, reset import data (deleting options), check service connectivity, and read import status information. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger resource-intensive import operations, reset import tracking data, and perform system connection checks that should be restricted to administrators.
Title		RockPress <= 1.0.17 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via AJAX Actions
Weaknesses		CWE-862
References		https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/admin/admin-ajax.php#L33 https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/admin/admin-scripts.php#L50 https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/admin/admin-scripts.php#L88 https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/class-rockpress-import.php#L125 https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/class-rockpress-import.php#L145 https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/class-rockpress-import.php#L184 https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/class-rockpress-import.php#L206 https://plugins.trac.wordpress.org/browser/ft-rockpress/trunk/includes/admin/admin-ajax.php#L33 https://plugins.trac.wordpress.org/browser/ft-rockpress/trunk/includes/admin/admin-scripts.php#L50 https://plugins.trac.wordpress.org/browser/ft-rockpress/trunk/includes/admin/admin-scripts.php#L88 https://plugins.trac.wordpress.org/browser/ft-rockpress/trunk/includes/class-rockpress-import.php#L125 https://plugins.trac.wordpress.org/browser/ft-rockpress/trunk/includes/class-rockpress-import.php#L145 https://plugins.trac.wordpress.org/browser/ft-rockpress/trunk/includes/class-rockpress-import.php#L184 https://plugins.trac.wordpress.org/browser/ft-rockpress/trunk/includes/class-rockpress-import.php#L206 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3477205%40ft-rockpress&new=3477205%40ft-rockpress&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/d5031631-9f12-47d3-997d-4418d348ab40?source=cve
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}`

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3550", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-04T18:46:43.897Z", "datePublished": "2026-03-20T08:25:58.364Z", "dateUpdated": "2026-03-20T12:17:29.616Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-20T08:25:58.364Z"}, "affected": [{"vendor": "firetree", "product": "RockPress", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "1.0.17", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The RockPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.17. This is due to missing capability checks on multiple AJAX actions (rockpress_import, rockpress_import_status, rockpress_last_import, rockpress_reset_import, and rockpress_check_services) combined with the plugin's nonce being exposed to all authenticated users via an unconditionally enqueued admin script. The plugin enqueues the 'rockpress-admin' script on all admin pages (including profile.php) without any page or capability restrictions, and the nonce for the 'rockpress-nonce' action is passed to this script via wp_localize_script. Since the AJAX handlers only verify this nonce and do not check current_user_can(), any authenticated user, including Subscribers, can extract the nonce from any admin page's HTML source and use it to trigger imports, reset import data (deleting options), check service connectivity, and read import status information. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger resource-intensive import operations, reset import tracking data, and perform system connection checks that should be restricted to administrators."}], "title": "RockPress <= 1.0.17 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via AJAX Actions", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d5031631-9f12-47d3-997d-4418d348ab40?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/trunk/includes/class-rockpress-import.php#L206"}, {"url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/class-rockpress-import.php#L206"}, {"url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/trunk/includes/class-rockpress-import.php#L125"}, {"url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/class-rockpress-import.php#L125"}, {"url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/trunk/includes/class-rockpress-import.php#L145"}, {"url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/class-rockpress-import.php#L145"}, {"url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/trunk/includes/class-rockpress-import.php#L184"}, {"url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/class-rockpress-import.php#L184"}, {"url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/trunk/includes/admin/admin-ajax.php#L33"}, {"url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/admin/admin-ajax.php#L33"}, {"url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/trunk/includes/admin/admin-scripts.php#L88"}, {"url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/admin/admin-scripts.php#L88"}, {"url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/trunk/includes/admin/admin-scripts.php#L50"}, {"url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/admin/admin-scripts.php#L50"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3477205%40ft-rockpress&new=3477205%40ft-rockpress&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Phong Nguyen"}], "timeline": [{"time": "2026-03-04T23:24:15.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-19T19:51:24.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T12:17:09.328140Z", "id": "CVE-2026-3550", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T12:17:29.616Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The RockPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.17. This is due to missing capability checks on multiple AJAX actions (rockpress_import, rockpress_import_status, rockpress_last_import, rockpress_reset_import, and rockpress_check_services) combined with the plugin's nonce being exposed to all authenticated users via an unconditionally enqueued admin script. The plugin enqueues the 'rockpress-admin' script on all admin pages (including profile.php) without any page or capability restrictions, and the nonce for the 'rockpress-nonce' action is passed to this script via wp_localize_script. Since the AJAX handlers only verify this nonce and do not check current_user_can(), any authenticated user, including Subscribers, can extract the nonce from any admin page's HTML source and use it to trigger imports, reset import data (deleting options), check service connectivity, and read import status information. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger resource-intensive import operations, reset import tracking data, and perform system connection checks that should be restricted to administrators."}], "id": "CVE-2026-3550", "lastModified": "2026-03-20T09:16:16.390", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-03-20T09:16:16.390", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/admin/admin-ajax.php#L33"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/admin/admin-scripts.php#L50"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/admin/admin-scripts.php#L88"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/class-rockpress-import.php#L125"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/class-rockpress-import.php#L145"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/class-rockpress-import.php#L184"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/class-rockpress-import.php#L206"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/trunk/includes/admin/admin-ajax.php#L33"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/trunk/includes/admin/admin-scripts.php#L50"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/trunk/includes/admin/admin-scripts.php#L88"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/trunk/includes/class-rockpress-import.php#L125"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/trunk/includes/class-rockpress-import.php#L145"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/trunk/includes/class-rockpress-import.php#L184"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/trunk/includes/class-rockpress-import.php#L206"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3477205%40ft-rockpress&new=3477205%40ft-rockpress&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d5031631-9f12-47d3-997d-4418d348ab40?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{"analysis": {"en": {"generated_at": "2026-03-20T09:21:32.767556+00:00", "value": {"mitigation_remediation": ["Check for and install the latest RockPress plugin version that addresses the missing authorization issue.", "If an immediate upgrade is not feasible, restrict the plugin\u2019s AJAX actions by disabling the 'rockpress-admin' script on all admin pages or by removing the script altogether to stop nonce exposure.", "Ensure that all authenticated users are provisioned with appropriate capabilities and audit the plugin\u2019s code to confirm that capability checks are enforced on all sensitive AJAX endpoints.", "Keep the site and all plugins updated, and monitor WordPress security advisories for further updates or zero\u2011day information."], "summary": {"action": "Patch", "impact": "Unauthorized data modification via AJAX actions"}, "threat_synthesis": {"affected_systems": "This vulnerability affects the Firetree RockPress plugin for WordPress versions 1.0.17 and earlier. All installations that include these versions are susceptible, regardless of additional configuration. The plugin\u2019s administrative script is enqueued on every admin page, including profile.php, meaning the risk is present for all sites running the vulnerable plugin version.", "description_and_impact": "The RockPress plugin for WordPress contains a missing authorization flaw in all versions up to and including 1.0.17. Several AJAX handlers (rockpress_import, rockpress_import_status, rockpress_last_import, rockpress_reset_import, rockpress_check_services) perform only nonce verification and do not check user capabilities. The plugin permanently enqueues the 'rockpress-admin' script on every admin page, exposing the nonce to any authenticated user. As a result, an attacker who can log in as a Subscriber or higher can extract the nonce from the HTML source and use it to trigger import operations, delete tracking options, force service checks, and read import status. This allows arbitrary modification of the plugin\u2019s data and potentially exhaustion of resources, compromising data integrity and availability. The weakness is classified as CWE-862, Missing Authorization.", "risk_and_exploitability": "The CVSS score is 5.3, indicating moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be an authenticated attacker using a standard user session; the vulnerability does not require remote code execution or network exploitation. The attacker needs a valid login with at least Subscriber privileges, which are commonly granted in many WordPress installations. Once authenticated, extraction of the nonce from any admin page allows the attacker to perform the privileged operations through simple HTTP POST requests to the AJAX handlers."}}}}, "created": "2026-03-20T10:36:34.753072+00:00", "updated": "2026-03-20T10:36:34.753133+00:00", "vendors": []}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Affected Vendors & Products

Projects

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Affected Vendors & Products

Projects

JSON object

JSON object

JSON object

JSON object

JSON object