The RockPress plugin for WordPress suffers from a Missing Authorization vulnerability (CWE-862) identified as CVE-2026-3550. This vulnerability exists in all versions up to and including 1.0.17 due to the absence of proper capability checks on several AJAX endpoints: rockpress_import, rockpress_import_status, rockpress_last_import, rockpress_reset_import, and rockpress_check_services. The plugin enqueues an admin script named 'rockpress-admin' on all admin pages, including profile.php, without restricting it to specific pages or user capabilities. This script exposes a nonce ('rockpress-nonce') to all authenticated users via wp_localize_script. The AJAX handlers validate only this nonce but do not verify the current user's permissions (i.e., they do not call current_user_can()). Consequently, any authenticated user—even those with minimal privileges such as Subscribers—can extract the nonce from the HTML source of any admin page and invoke these AJAX actions. Exploitation allows attackers to trigger resource-intensive import operations, reset import tracking data (which deletes options), and perform system connection checks that should be limited to administrators. While the vulnerability does not allow direct data disclosure or site takeover, it undermines the integrity of import operations and can lead to denial of service or operational disruption. The CVSS v3.1 base score is 5.3 (medium), reflecting network exploitability with low attack complexity and no required privileges beyond authentication. No public exploits have been reported, but the vulnerability poses a risk to any WordPress site using RockPress with multiple authenticated users.

The primary impact of CVE-2026-3550 is unauthorized execution of administrative AJAX actions by low-privileged authenticated users. This can lead to several adverse effects: (1) Triggering resource-intensive import operations may degrade server performance or cause denial of service conditions, impacting site availability. (2) Resetting import tracking data deletes stored options, potentially disrupting import workflows and causing data loss or inconsistency. (3) Performing system connection checks could reveal internal service status or cause unintended side effects. Although confidentiality is not directly impacted, the integrity and availability of the import functionality are compromised. For organizations relying on RockPress for critical import tasks, this vulnerability can disrupt business processes and increase operational risk. Attackers with Subscriber-level access—often easy to obtain via registration or compromised accounts—can exploit this flaw, increasing the threat surface. The vulnerability also undermines the principle of least privilege and could be chained with other vulnerabilities for more severe attacks. Overall, the impact is moderate but significant for affected WordPress sites, especially those with multiple authenticated users and critical import dependencies.

To mitigate CVE-2026-3550, organizations should take the following specific actions: 1) Immediately restrict user registrations and review existing user roles to minimize the number of low-privileged authenticated users who can access admin pages. 2) Temporarily disable or deactivate the RockPress plugin if import functionality is not critical or if the risk is unacceptable. 3) Monitor server performance and logs for unusual spikes in import-related AJAX requests that may indicate exploitation attempts. 4) Implement web application firewall (WAF) rules to detect and block suspicious AJAX requests targeting rockpress_import and related actions from low-privileged users. 5) Contact the vendor (firetree) for an official patch or update; apply it promptly once available. 6) As a longer-term fix, ensure that the plugin’s AJAX handlers enforce capability checks using current_user_can() before processing requests, and restrict the enqueueing of the 'rockpress-admin' script to appropriate admin pages and user roles only. 7) Educate site administrators about the risk of exposing nonces broadly and the importance of proper authorization checks in custom plugins. These steps go beyond generic advice by focusing on access control, monitoring, and temporary risk reduction until a patch is deployed.