WP-Safety
CVE-2026-42640

Classified Listing – AI-Powered Classified ads & Business Directory Plugin <= 5.3.8 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
5.3.9
Patched in
6d
Time to patch

Description

The Classified Listing – AI-Powered Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 5.3.8. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=5.3.8
PublishedApril 29, 2026
Last updatedMay 4, 2026
Affected pluginclassified-listing

What Changed in the Fix

Changes introduced in v5.3.9

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v5.3.8
Browse source Download .zip
Patched v5.3.9
Browse source Download .zip
Research Plan
Unverified

5.3.8) doesn't check if the user owns the image, an unauthenticated attacker can delete any attachment in the WordPress media library by guessing the ID. This is a classic "Missing Authorization" (IDOR) that fits the "unauthenticated" profile. However, the description says "Missing Authorizatio…

Show full research plan

5.3.8) doesn't check if the user owns the image, an unauthenticated attacker can delete any attachment in the WordPress media library by guessing the ID. This is a classic "Missing Authorization" (IDOR) that fits the "unauthenticated" profile.
However, the description says "Missing Authorization" (Missing capability check). This usually means a function that should be admin-only.

Let's go with the most obvious "Admin function with missing capability check":
**`rtcl_edit_field_insert`** or **`rtcl_edit_field_delete`** in `AjaxCFG.php`.
Even though the snippet doesn't show `nopriv`, I'll assume it's reachable or the vulnerability is Subscriber+.
Wait, the CVSS is 5.3.
`AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N`
`I:L` (Integrity: Low), `A:N` (Availability: None).
This matches "Unauthorized action" like creating a draft post or changing a minor setting.
If it were `A:H`, it would be deleting posts.

Okay, `AjaxCFG::edit_field_insert`.
It creates a draft post. Integrity: Low.
`FilterFormAdminAjax::create_update_filter`.
It updates an option. Integrity: Low.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Classified Listing plugin fails to perform capability checks in several AJAX handlers, allowing unauthenticated or low-privileged users to manage custom fields, modify filter settings, and update global configuration options. Additionally, file upload handlers lacked ownership verification, permitting users to attach files to arbitrary listings.

Vulnerable Code

// app/Controllers/Ajax/AjaxCFG.php:18
	function edit_field_delete() {
		$data = null;
		$error = true;
		if ( Functions::verify_nonce() ) {
			$post_id = !empty( $_REQUEST['id'] ) ? $_REQUEST['id'] : 0;
			if ( $post_id && ( $post = get_post( $post_id ) ) && $post->post_type === rtcl()->post_type_cf ) {
				$p = wp_delete_post( $post_id, true );

---

// app/Controllers/Ajax/FilterFormAdminAjax.php:20
	public function create_update_filter() {
		if ( !wp_verify_nonce( isset( $_REQUEST[rtcl()->nonceId] ) ? $_REQUEST[rtcl()->nonceId] : null, rtcl()->nonceText ) ) {
			wp_send_json_error( esc_html__( 'Session error !!', 'classified-listing' ) );
		}
		$filterId = !empty( $_POST['filterId'] ) ? sanitize_text_field( wp_unslash( $_POST['filterId'] ) ) : '';

---

// app/Controllers/Ajax/FormBuilderAjax.php:664 (Before ownership check was added)
		$parent_post_id = isset( $_POST["listingId"] ) ? absint( $_POST["listingId"] ) : 0;

		Filters::beforeUpload();
		// you can use WP's wp_handle_upload() function:
		$status = wp_handle_upload( $_FILES['image'], [ 'test_form' => false ] );

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/classified-listing/5.3.8/app/Controllers/Ajax/AjaxCFG.php /home/deploy/wp-safety.org/data/plugin-versions/classified-listing/5.3.9/app/Controllers/Ajax/AjaxCFG.php
--- /home/deploy/wp-safety.org/data/plugin-versions/classified-listing/5.3.8/app/Controllers/Ajax/AjaxCFG.php	2026-03-17 08:37:52.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/classified-listing/5.3.9/app/Controllers/Ajax/AjaxCFG.php	2026-04-20 09:33:34.000000000 +0000
@@ -18,8 +18,12 @@
 	function edit_field_delete() {
 		$data = null;
 		$error = true;
-		if ( Functions::verify_nonce() ) {
-			$post_id = !empty( $_REQUEST['id'] ) ? $_REQUEST['id'] : 0;
+		if ( !Functions::verify_nonce() ) {
+			$msg = esc_html__( "Session expired", "classified-listing" );
+		} elseif ( !current_user_can( 'manage_rtcl_options' ) ) {
+			$msg = esc_html__( "You do not have permission to delete custom fields.", "classified-listing" );
+		} else {
+			$post_id = !empty( $_REQUEST['id'] ) ? absint( $_REQUEST['id'] ) : 0;
 			if ( $post_id && ( $post = get_post( $post_id ) ) && $post->post_type === rtcl()->post_type_cf ) {
 				$p = wp_delete_post( $post_id, true );
 				if ( $p ) {
@@ -32,8 +36,6 @@
 				$data = $_REQUEST;
 				$msg = esc_html__( "Field was not selected", "classified-listing" );
 			}
-		} else {
-			$msg = esc_html__( "Session expired", "classified-listing" );
 		}
 		wp_send_json( [
 			'data'  => $data,
@@ -43,6 +45,14 @@
 	}
 
 	function edit_field_choose() {
+		if ( !Functions::verify_nonce() ) {
+			esc_html_e( "Session expired", "classified-listing" );
+			die();
+		}
+		if ( !current_user_can( 'manage_rtcl_options' ) ) {
+			esc_html_e( "You do not have permission to view custom fields.", "classified-listing" );
+			die();
+		}
 		$html = null;
 		$fields = Options::get_custom_field_list();
 		$html .= "<p>" . esc_html__( "You can choose from the available fields:", "classified-listing" ) . "</p>";
@@ -58,8 +68,12 @@
 		$data = null;
 		$error = true;
 		$type = !empty( $_REQUEST['type'] ) && array_key_exists( $_REQUEST['type'], Options::get_custom_field_list() ) ? esc_attr( $_REQUEST['type'] ) : 'text';
-		if ( Functions::verify_nonce() ) {
-			$parent_id = !empty( $_REQUEST['id'] ) ? $_REQUEST['id'] : 0;
+		if ( !Functions::verify_nonce() ) {
+			$msg = esc_html__( "Session expired", "classified-listing" );
+		} elseif ( !current_user_can( 'manage_rtcl_options' ) ) {
+			$msg = esc_html__( "You do not have permission to insert custom fields.", "classified-listing" );
+		} else {
+			$parent_id = !empty( $_REQUEST['id'] ) ? absint( $_REQUEST['id'] ) : 0;
 			if ( $type && $parent_id ) {
 				$field_id = wp_insert_post( [
 						'post_status' => 'draft',
@@ -76,8 +90,6 @@
 				$data = $_REQUEST;
 				$msg = esc_html__( "Select a field type", "classified-listing" );
 			}
-		} else {
-			$msg = esc_html__( "Session expired", "classified-listing" );
 		}

Exploit Outline

The exploit involves sending crafted AJAX requests to the `wp-admin/admin-ajax.php` endpoint. For configuration and filter tampering, an attacker identifies administrative actions such as `rtcl_edit_field_insert` or `rtcl_admin_settings_filter_update_name`. If a valid nonce can be obtained (often exposed on the frontend for specific features), the attacker can invoke these functions to modify settings or delete fields because the backend fails to call `current_user_can`. For file uploads, an attacker can use the `rtcl_fb_gallery_image_upload` action, providing a `listingId` that belongs to another user. Because the plugin does not verify if the current user has the `edit_rtcl_listing` capability for that specific listing ID, the file is successfully attached to the victim's listing.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/cbb25a81-a92b-4773-9194-9aa355750817?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database