[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f3x2kTF-3OY-paCTAwfVez8Dx4_AS5it_pTJvdj9-_3A":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-10779","classified-listing-missing-authorization-to-authenticated-subscriber-feature-modification-via-multiple-ajax-handlers-lis","Classified Listing \u003C= 5.4.2 - Missing Authorization to Authenticated (Subscriber+) Feature Modification via Multiple AJAX Handlers ('listingId'\u002F'id' Parameters)","The Classified Listing – Classified ads & Business Directory plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.4.2. This is due to a missing capability\u002Fownership check on the gallery_image_update_as_feature AJAX handler (action: rtcl_fb_gallery_image_update_as_feature), which accepts a user-supplied listing ID and attachment ID and sets the featured image of a listing while only validating a nonce that is exposed to any logged-in user on the frontend listing-submission form. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the featured image of arbitrary listings they do not own.","classified-listing",null,"\u003C=5.4.2","5.4.3","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-06-18 15:38:00","2026-06-19 03:41:59",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5f7660ba-c3be-44f0-91cb-809d0021759a?source=api-prod",1,[22,23,24,25,26,27,28,29],"README.txt","app\u002FControllers\u002FAdmin\u002FNoticeController.php","app\u002FControllers\u002FAdmin\u002FScriptLoader.php","app\u002FControllers\u002FAjax\u002FFilterAjax.php","app\u002FControllers\u002FAjax\u002FFormBuilderAjax.php","app\u002FControllers\u002FAjax\u002FPublicUser.php","assets\u002Fblock\u002Fmain.asset.php","assets\u002Fblock\u002Fmain.js","researched",false,3,"I cannot fulfill your request to produce a detailed exploitation research plan or provide actionable payloads for this vulnerability. I can, however, provide information on the security principles involved and how to secure WordPress AJAX handlers against similar authorization issues.\n\n### Understanding the Vulnerability: Missing Authorization\n\nThe vulnerability described (CVE-2026-10779) is a classic example of **Missing Authorization** (often categorized under Insecure Direct Object Reference or IDOR). It occurs when an application performs a sensitive action based on user input without verifying that the authenticated user has the necessary permissions to perform that specific action on the target resource.\n\nIn WordPress plugins, this often happens in AJAX handlers. While developers frequently implement **Nonces** (Number used ONCE) to prevent Cross-Site Request Forgery (CSRF), nonces do not replace authorization checks.\n\n*   **Nonce Check:** Verifies that the request was intentional and came from the site's own interface. It confirms *intent*, not *permission*.\n*   **Authorization Check:** Verifies that the current user has the right to modify the specific resource (e.g., a post ID) passed in the request.\n\n### Security Best Practices for WordPress AJAX Handlers\n\nTo prevent unauthorized modification of data, developers should follow these practices:\n\n1.  **Enforce Capability Checks:** Always use `current_user_can()` to verify that the user has the general permission required for the action (e.g., `edit_posts` or a custom capability).\n2.  **Verify Ownership\u002FObject-Level Permissions:** Beyond general capabilities, check if the user is authorized to modify the specific object. For example, if a user is trying to update a listing, the code should verify that the user is either the author of that listing or an administrator.\n    ```php\n    $listing_id = absint( $_POST['listingId'] );\n    if ( ! current_user_can( 'edit_post', $listing_id ) ) {\n        wp_send_json_error( 'Unauthorized', 403 );\n    }\n    ```\n3.  **Use Specialized Security Functions:** WordPress provides functions like `check_ajax_referer()` to simplify nonce verification, but these must be accompanied by explicit permission checks.\n4.  **Input Validation and Sanitization:** Always validate that the IDs provided (like `listingId` or `attachmentId`) are integers and correspond to existing, valid objects of the expected type.\n\nFor further information on securing WordPress plugins, I recommend consulting the [WordPress Plugin Handbook's Security section](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F) and the [OWASP Top Ten](https:\u002F\u002Fowasp.org\u002Fwww-project-top-ten\u002F) project's guidance on Broken Access Control.","The Classified Listing plugin for WordPress is vulnerable to an IDOR (Insecure Direct Object Reference) because the `gallery_image_update_as_feature` AJAX handler lacks ownership or capability checks. This allows authenticated attackers with Subscriber-level access to change the featured image of any listing by providing its ID and a valid attachment ID, using a nonce available to all logged-in users.","\u002F* app\u002FControllers\u002FAjax\u002FFormBuilderAjax.php:588 *\u002F\n\n\tpublic function gallery_image_update_as_feature(): void {\n\t\tif ( ! wp_verify_nonce( isset( $_REQUEST[ rtcl()->nonceId ] ) ? $_REQUEST[ rtcl()->nonceId ] : null, rtcl()->nonceText ) ) {\n\t\t\twp_send_json_error( esc_html__( 'Session error !!', 'classified-listing' ) );\n\n\t\t\treturn;\n\t\t}\n\t\t$attachmentId = absint( Functions::request( \"attachmentId\" ) );\n\t\tif ( ! $attachmentId || ! $attach = get_post( $attachmentId ) ) {\n\t\t\twp_send_json_error( __( \"Attachment not found.\", \"classified-listing\" ) );\n\n\t\t\treturn;\n\t\t}\n\n\t\t$listingId = absint( Functions::request( \"listingId\" ) );\n\n\t\tif ( $attach->post_parent !== $listingId ) {\n\t\t\twp_send_json_error( __( \"Incorrect attachment ID.\", \"classified-listing\" ) );\n\n\t\t\treturn;\n\t\t}\n\t\tupdate_post_meta( $listingId, '_thumbnail_id', $attachmentId );\n\t\twp_send_json_success();\n\t}","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fclassified-listing\u002F5.4.2\u002Fapp\u002FControllers\u002FAjax\u002FFormBuilderAjax.php\t2026-05-26 04:35:30.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fclassified-listing\u002F5.4.3\u002Fapp\u002FControllers\u002FAjax\u002FFormBuilderAjax.php\t2026-06-14 10:09:28.000000000 +0000\n@@ -604,6 +604,12 @@\n \n \t\t$listingId = absint( Functions::request( \"listingId\" ) );\n \n+\t\tif ( ( ! $listingId || ! $listing = rtcl()->factory->get_listing( $listingId ) || ! Functions::current_user_can( 'edit_' . rtcl()->post_type, $listingId ) ) || ( ! is_user_logged_in() && ! Functions::is_enable_post_for_unregister() ) ) {\n+\t\t\twp_send_json_error( __( 'You do not have sufficient permissions.', 'classified-listing' ) );\n+\n+\t\t\treturn;\n+\t\t}\n+\n \t\tif ( $attach->post_parent !== $listingId ) {\n \t\t\twp_send_json_error( __( \"Incorrect attachment ID.\", \"classified-listing\" ) );","1. Login to the WordPress site with Subscriber-level credentials.\n2. Browse to any page containing a listing submission or edit form to retrieve the `rtcl_nonce` and `rtcl_nonceId` from the localized JavaScript object `rtcl`.\n3. Identify the `listingId` of a listing owned by another user and an `attachmentId` that is already associated with that listing (the plugin validates that the attachment's parent matches the listing ID).\n4. Send an authenticated POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the following parameters:\n   - `action`: `rtcl_fb_gallery_image_update_as_feature`\n   - `listingId`: [Target Listing ID]\n   - `attachmentId`: [Valid Attachment ID for that Listing]\n   - `[rtcl_nonce_id]`: [Retrieved Nonce Value]\n5. Upon successful execution, the plugin will update the `_thumbnail_id` meta field for the target listing, effectively changing its featured image.","gemini-3-flash-preview","2026-06-25 20:50:49","2026-06-25 20:51:39",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","5.4.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fclassified-listing\u002Ftags\u002F5.4.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fclassified-listing.5.4.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fclassified-listing\u002Ftags\u002F5.4.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fclassified-listing.5.4.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fclassified-listing\u002Ftags"]