Classified Listing – AI-Powered Classified ads & Business Directory Plugin <= 5.3.8 - Authenticated (Subscriber+) Arbitrary File Download
Description
The Classified Listing – AI-Powered Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 5.3.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=5.3.8What Changed in the Fix
Changes introduced in v5.3.9
Source Code
WordPress.org SVN_fb_get_attachment_details` with `attachment_id=../../../../../../wp-config.php`. 4. The response contains the file content. * `FormBuilderAjax.php` registers `rtcl_fb_get_attachment_details`. * I will search for where this is used. It's used in the form builder. * The shortc…
Show full research plan
_fb_get_attachment_detailswithattachment_id=../../../../../../wp-config.php`.
4. The response contains the file content.
* `FormBuilderAjax.php` registers `rtcl_fb_get_attachment_details`.
* I will search for where this is used. It's used in the form builder.
* The shortcode for the form builder is often `[rtcl_post_form]` or `[rtcl_listing_form]`.
* I'll create a page with `[rtcl_listing_form]`.
* `nonceId`: `rtcl_nonce` (common for this plugin).
* `nonceText`: `rtcl_nonce`.
* Wait, let's look at `FilterFormAdminAjax.php`.
`if ( !wp_verify_nonce( isset( $_REQUEST[rtcl()->nonceId] ) ? $_REQUEST[rtcl()->nonceId] : null, rtcl()->nonceText ) )`
* If I check the page source for `rtcl_nonce`, I can find it.
* Wait, the CVSS is 4.3 (Medium). This usually means it's not a full unauthenticated RCE, but an authenticated file read.
* "Path Traversal in all versions up to, and including, 5.3.8."
* "Authenticated (Subscriber+)
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.