Vulnerabilites related to radiustheme - classified_listing
Vulnerability from fkie_nvd
Published
2022-09-16 09:15
Modified
2025-06-05 19:15
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
The Classima WordPress theme before 2.1.11 and some of its required plugins (Classified Listing before 2.2.14, Classified Listing Pro before 2.0.20, Classified Listing Store & Membership before 1.4.20 and Classima Core before 1.10) do not escape a parameter before outputting it back in attributes, leading to Reflected Cross-Site Scripting
References
| ▼ | URL | Tags | |
|---|---|---|---|
| contact@wpscan.com | https://wpscan.com/vulnerability/845f44ca-f572-48d7-a19a-89cace0b8993 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/845f44ca-f572-48d7-a19a-89cace0b8993 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| radiustheme | classified_listing | * | |
| radiustheme | classified_listing | * | |
| radiustheme | classified_listing_store_\&_membership | * | |
| radiustheme | classima | * | |
| radiustheme | classima_core | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:radiustheme:classified_listing:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "F6BB1636-BF05-4E52-A66D-C8DA983696BB",
"versionEndExcluding": "2.0.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:radiustheme:classified_listing:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "BE3B87D7-0F7A-4C7C-B9DA-EBE4ACA2D2DE",
"versionEndExcluding": "2.2.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:radiustheme:classified_listing_store_\\\u0026_membership:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "EC749AA4-4196-4FBE-A603-DBD93CA8F7F3",
"versionEndExcluding": "1.4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:radiustheme:classima:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "E1D0A54D-70D1-497F-B186-9F7DD9D18A43",
"versionEndExcluding": "2.1.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:radiustheme:classima_core:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "E6C2EECE-92B2-4939-926A-7DBE5F02227D",
"versionEndExcluding": "1.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Classima WordPress theme before 2.1.11 and some of its required plugins (Classified Listing before 2.2.14, Classified Listing Pro before 2.0.20, Classified Listing Store \u0026 Membership before 1.4.20 and Classima Core before 1.10) do not escape a parameter before outputting it back in attributes, leading to Reflected Cross-Site Scripting"
},
{
"lang": "es",
"value": "El tema Classima de WordPress versiones anteriores a 2.1.11 y algunos de sus plugins necesarios (Classified Listing versiones anteriores a 2.2.14, Classified Listing Pro versiones anteriores a 2.0.20, Classified Listing Store \u0026amp; Membership versiones anteriores a 1.4.20 y Classima Core versiones anteriores a 1.10) no escapan un par\u00e1metro antes de devolverlo en atributos, conllevando a una taque de tipo Cross-Site Scripting Reflejado"
}
],
"id": "CVE-2022-2654",
"lastModified": "2025-06-05T19:15:23.347",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-09-16T09:15:10.727",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/845f44ca-f572-48d7-a19a-89cace0b8993"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/845f44ca-f572-48d7-a19a-89cace0b8993"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "contact@wpscan.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-04-09 19:15
Modified
2025-01-17 17:30
Severity ?
Summary
The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.4. This is due to missing or incorrect nonce validation on the 'rtcl_update_user_account' function. This makes it possible for unauthenticated attackers to change the administrator user's password and email address via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This locks the administrator out of the site and prevents them from resetting their password, while granting the attacker access to their account.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| radiustheme | classified_listing | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:radiustheme:classified_listing:*:*:*:*:-:wordpress:*:*",
"matchCriteriaId": "F971EA1A-7D1C-46B7-AB06-128BA87960B2",
"versionEndExcluding": "3.0.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Classified Listing \u2013 Classified ads \u0026 Business Directory Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.4. This is due to missing or incorrect nonce validation on the \u0027rtcl_update_user_account\u0027 function. This makes it possible for unauthenticated attackers to change the administrator user\u0027s password and email address via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This locks the administrator out of the site and prevents them from resetting their password, while granting the attacker access to their account."
},
{
"lang": "es",
"value": "El complemento Classified Listing \u2013 Classified ads \u0026amp; Business Directory Plugin para WordPress es vulnerable a Cross-Site Request Forgery en todas las versiones hasta la 3.0.4 incluida. Esto se debe a una validaci\u00f3n nonce faltante o incorrecta en la funci\u00f3n \u0027rtcl_update_user_account\u0027. Esto hace posible que atacantes no autenticados cambien la contrase\u00f1a y la direcci\u00f3n de correo electr\u00f3nico del usuario administrador a trav\u00e9s de una solicitud falsificada, siempre que puedan enga\u00f1ar al administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace. Esto bloquea al administrador fuera del sitio y le impide restablecer su contrase\u00f1a, al tiempo que le otorga al atacante acceso a su cuenta."
}
],
"id": "CVE-2024-1315",
"lastModified": "2025-01-17T17:30:38.363",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security@wordfence.com",
"type": "Primary"
}
]
},
"published": "2024-04-09T19:15:16.340",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/classified-listing/tags/3.0.1/app/Controllers/Ajax/PublicUser.php#L445"
},
{
"source": "security@wordfence.com",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/classified-listing/tags/3.0.5/app/Controllers/Ajax/PublicUser.php#L445"
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5439651e-5557-4b13-813a-4fc0ad876104?source=cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/classified-listing/tags/3.0.1/app/Controllers/Ajax/PublicUser.php#L445"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/classified-listing/tags/3.0.5/app/Controllers/Ajax/PublicUser.php#L445"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5439651e-5557-4b13-813a-4fc0ad876104?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-09-16 09:15
Modified
2024-11-21 07:01
Severity ?
Summary
The Classified Listing Pro WordPress plugin before 2.0.20 does not escape a generated URL before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting
References
| ▼ | URL | Tags | |
|---|---|---|---|
| contact@wpscan.com | https://wpscan.com/vulnerability/acc9675a-56f6-411a-9594-07144c2aad1b | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/acc9675a-56f6-411a-9594-07144c2aad1b | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| radiustheme | classified_listing | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:radiustheme:classified_listing:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "F6BB1636-BF05-4E52-A66D-C8DA983696BB",
"versionEndExcluding": "2.0.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Classified Listing Pro WordPress plugin before 2.0.20 does not escape a generated URL before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting"
},
{
"lang": "es",
"value": "El plugin Classified Listing Pro de WordPress versiones anteriores a 2.0.20, no escapa de una URL generada antes de devolverla a un atributo en una p\u00e1gina de administraci\u00f3n, conllevando a un ataque de tipo Cross-Site Scripting Reflejado"
}
],
"id": "CVE-2022-2655",
"lastModified": "2024-11-21T07:01:27.193",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-09-16T09:15:10.787",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/acc9675a-56f6-411a-9594-07144c2aad1b"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/acc9675a-56f6-411a-9594-07144c2aad1b"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "contact@wpscan.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-04-09 19:15
Modified
2025-01-17 17:23
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access & modification of data due to a missing capability check on the rtcl_import_location() rtcl_import_category() functions in all versions up to, and including, 3.0.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to create terms.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| radiustheme | classified_listing | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:radiustheme:classified_listing:*:*:*:*:-:wordpress:*:*",
"matchCriteriaId": "F971EA1A-7D1C-46B7-AB06-128BA87960B2",
"versionEndExcluding": "3.0.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Classified Listing \u2013 Classified ads \u0026 Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access \u0026 modification of data due to a missing capability check on the rtcl_import_location() rtcl_import_category() functions in all versions up to, and including, 3.0.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to create terms."
},
{
"lang": "es",
"value": "El complemento Classified Listing \u2013 Classified ads \u0026amp; Business Directory Plugin para WordPress es vulnerable al acceso no autorizado y a la modificaci\u00f3n de datos debido a una falta de verificaci\u00f3n de capacidad en las funciones rtcl_import_location() rtcl_import_category() en todas las versiones hasta la 3.0.4 incluida. Esto hace posible que los atacantes autenticados, con acceso a nivel de suscriptor y superior, creen t\u00e9rminos."
}
],
"id": "CVE-2024-1352",
"lastModified": "2025-01-17T17:23:55.973",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "security@wordfence.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-04-09T19:15:16.517",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/classified-listing/trunk/app/Controllers/Ajax/Import.php?rev=2824166"
},
{
"source": "security@wordfence.com",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/classified-listing/trunk/app/Controllers/Ajax/Import.php?rev=3061893"
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f5da4cdd-15c7-41a6-be2f-e31bd407ae05?source=cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/classified-listing/trunk/app/Controllers/Ajax/Import.php?rev=2824166"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/classified-listing/trunk/app/Controllers/Ajax/Import.php?rev=3061893"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f5da4cdd-15c7-41a6-be2f-e31bd407ae05?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-02-25 07:15
Modified
2025-02-28 16:07
Severity ?
Summary
The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.4 via the rtcl_taxonomy_settings_export function. This makes it possible for unauthenticated attackers to extract sensitive data including API keys and tokens.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| radiustheme | classified_listing | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:radiustheme:classified_listing:*:*:*:*:-:wordpress:*:*",
"matchCriteriaId": "A17B9E4D-B6A6-4F8E-92A6-38FCDD635E22",
"versionEndExcluding": "4.0.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Classified Listing \u2013 Classified ads \u0026 Business Directory Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.4 via the rtcl_taxonomy_settings_export function. This makes it possible for unauthenticated attackers to extract sensitive data including API keys and tokens."
},
{
"lang": "es",
"value": " El complemento Classified Listing \u2013 Classified ads \u0026amp; Business Directory Plugin para WordPress es vulnerable a la exposici\u00f3n de informaci\u00f3n confidencial en todas las versiones hasta la 4.0.4 incluida a trav\u00e9s de la funci\u00f3n rtcl_taxonomy_settings_export. Esto permite que atacantes no autenticados extraigan datos confidenciales, incluidas claves API y tokens."
}
],
"id": "CVE-2025-1063",
"lastModified": "2025-02-28T16:07:01.990",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security@wordfence.com",
"type": "Primary"
}
]
},
"published": "2025-02-25T07:15:17.127",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset/3241883/classified-listing"
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e701b771-59f2-4783-b0a1-bea4d6c3d245?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security@wordfence.com",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-04-25 08:15
Modified
2025-04-23 19:35
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Summary
The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the rtcl_fb_gallery_image_delete AJAX action in all versions up to, and including, 3.0.10.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary attachements.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| radiustheme | classified_listing | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:radiustheme:classified_listing:*:*:*:*:-:wordpress:*:*",
"matchCriteriaId": "E1D656C1-F5FC-4580-A8FA-62C2B002D80D",
"versionEndExcluding": "3.0.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Classified Listing \u2013 Classified ads \u0026 Business Directory Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the rtcl_fb_gallery_image_delete AJAX action in all versions up to, and including, 3.0.10.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary attachements."
},
{
"lang": "es",
"value": "El complemento Classified Listing \u2013 Classified ads \u0026amp; Business Directory Plugin para WordPress es vulnerable a la p\u00e9rdida no autorizada de datos debido a una falta de verificaci\u00f3n de capacidad en la acci\u00f3n rtcl_fb_gallery_image_delete AJAX en todas las versiones hasta la 3.0.10.3 incluida. Esto hace posible que atacantes autenticados, con acceso de nivel de suscriptor y superior, eliminen archivos adjuntos arbitrarios."
}
],
"id": "CVE-2024-3893",
"lastModified": "2025-04-23T19:35:15.900",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security@wordfence.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-04-25T08:15:07.490",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset/3073754/classified-listing/trunk/app/Controllers/Ajax/FormBuilderAjax.php"
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e7113b1c-78dc-4648-b14a-52ff6668fd1d?source=cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset/3073754/classified-listing/trunk/app/Controllers/Ajax/FormBuilderAjax.php"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e7113b1c-78dc-4648-b14a-52ff6668fd1d?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-07-18 13:15
Modified
2024-11-21 08:11
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Cross-Site Request Forgery (CSRF) vulnerability in RadiusTheme Classified Listing plugin <= 2.4.5 versions.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| radiustheme | classified_listing | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:radiustheme:classified_listing:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "4E0E04FC-6612-47EF-935C-7A5082340975",
"versionEndIncluding": "2.4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in RadiusTheme Classified Listing plugin \u003c=\u00a02.4.5 versions."
}
],
"id": "CVE-2023-37387",
"lastModified": "2024-11-21T08:11:37.530",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "audit@patchstack.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-07-18T13:15:12.103",
"references": [
{
"source": "audit@patchstack.com",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/classified-listing/wordpress-classified-listing-plugin-2-4-5-cross-site-request-forgery-csrf-leading-to-thumbnail-removal-vulnerability?_s_id=cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/classified-listing/wordpress-classified-listing-plugin-2-4-5-cross-site-request-forgery-csrf-leading-to-thumbnail-removal-vulnerability?_s_id=cve"
}
],
"sourceIdentifier": "audit@patchstack.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "audit@patchstack.com",
"type": "Primary"
}
]
}
CVE-2022-2654 (GCVE-0-2022-2654)
Vulnerability from cvelistv5
Published
2022-09-16 08:40
Modified
2025-06-05 18:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross-Site Scripting (XSS)
Summary
The Classima WordPress theme before 2.1.11 and some of its required plugins (Classified Listing before 2.2.14, Classified Listing Pro before 2.0.20, Classified Listing Store & Membership before 1.4.20 and Classima Core before 1.10) do not escape a parameter before outputting it back in attributes, leading to Reflected Cross-Site Scripting
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/845f44ca-f572-48d7-a19a-89cace0b8993 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | Unknown | Classified Listing – Classified ads & Business Directory Plugin |
Version: 2.2.14 < 2.2.14 |
|||||||||||||||||||||
|
||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:46:03.475Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/845f44ca-f572-48d7-a19a-89cace0b8993"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-2654",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-03T18:27:00.689359Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-05T18:18:42.406Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Classified Listing \u2013 Classified ads \u0026 Business Directory Plugin",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.2.14",
"status": "affected",
"version": "2.2.14",
"versionType": "custom"
}
]
},
{
"product": "Classified Listing Pro - Classified ads \u0026 Business Directory Plugin",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.0.20",
"status": "affected",
"version": "2.0.20",
"versionType": "custom"
}
]
},
{
"product": "Classified Listing Store \u0026 Membership Addon",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.4.20",
"status": "affected",
"version": "1.4.20",
"versionType": "custom"
}
]
},
{
"product": "Classima Core",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.10",
"status": "affected",
"version": "1.10",
"versionType": "custom"
}
]
},
{
"product": "Classima",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.1.11",
"status": "affected",
"version": "2.1.11",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Team ISH Tecnologia (Thiago Martins"
},
{
"lang": "en",
"value": "Jorge Buzeti"
},
{
"lang": "en",
"value": "Leandro Inacio"
},
{
"lang": "en",
"value": "Lucas de Souza"
},
{
"lang": "en",
"value": "Matheus Oliveira"
},
{
"lang": "en",
"value": "Filipe Baptistella"
},
{
"lang": "en",
"value": "Leonardo Paiva"
},
{
"lang": "en",
"value": "Jose Thomaz"
},
{
"lang": "en",
"value": "Joao Maciel"
},
{
"lang": "en",
"value": "Vinicius Pereira"
},
{
"lang": "en",
"value": "Geovanni Campos"
},
{
"lang": "en",
"value": "Hudson Nowak"
},
{
"lang": "en",
"value": "Guilherme Acerbi) and Islan Ferreira."
}
],
"descriptions": [
{
"lang": "en",
"value": "The Classima WordPress theme before 2.1.11 and some of its required plugins (Classified Listing before 2.2.14, Classified Listing Pro before 2.0.20, Classified Listing Store \u0026 Membership before 1.4.20 and Classima Core before 1.10) do not escape a parameter before outputting it back in attributes, leading to Reflected Cross-Site Scripting"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-Site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-16T08:40:31.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/845f44ca-f572-48d7-a19a-89cace0b8993"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Classima \u003c 2.1.11 - Reflected Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-2654",
"STATE": "PUBLIC",
"TITLE": "Classima \u003c 2.1.11 - Reflected Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Classified Listing \u2013 Classified ads \u0026 Business Directory Plugin",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.2.14",
"version_value": "2.2.14"
}
]
}
},
{
"product_name": "Classified Listing Pro - Classified ads \u0026 Business Directory Plugin",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.0.20",
"version_value": "2.0.20"
}
]
}
},
{
"product_name": "Classified Listing Store \u0026 Membership Addon",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.4.20",
"version_value": "1.4.20"
}
]
}
},
{
"product_name": "Classima Core",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.10",
"version_value": "1.10"
}
]
}
},
{
"product_name": "Classima",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.1.11",
"version_value": "2.1.11"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Team ISH Tecnologia (Thiago Martins"
},
{
"lang": "eng",
"value": "Jorge Buzeti"
},
{
"lang": "eng",
"value": "Leandro Inacio"
},
{
"lang": "eng",
"value": "Lucas de Souza"
},
{
"lang": "eng",
"value": "Matheus Oliveira"
},
{
"lang": "eng",
"value": "Filipe Baptistella"
},
{
"lang": "eng",
"value": "Leonardo Paiva"
},
{
"lang": "eng",
"value": "Jose Thomaz"
},
{
"lang": "eng",
"value": "Joao Maciel"
},
{
"lang": "eng",
"value": "Vinicius Pereira"
},
{
"lang": "eng",
"value": "Geovanni Campos"
},
{
"lang": "eng",
"value": "Hudson Nowak"
},
{
"lang": "eng",
"value": "Guilherme Acerbi) and Islan Ferreira."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Classima WordPress theme before 2.1.11 and some of its required plugins (Classified Listing before 2.2.14, Classified Listing Pro before 2.0.20, Classified Listing Store \u0026 Membership before 1.4.20 and Classima Core before 1.10) do not escape a parameter before outputting it back in attributes, leading to Reflected Cross-Site Scripting"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/845f44ca-f572-48d7-a19a-89cace0b8993",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/845f44ca-f572-48d7-a19a-89cace0b8993"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-2654",
"datePublished": "2022-09-16T08:40:31.000Z",
"dateReserved": "2022-08-04T00:00:00.000Z",
"dateUpdated": "2025-06-05T18:18:42.406Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-37387 (GCVE-0-2023-37387)
Vulnerability from cvelistv5
Published
2023-07-18 12:14
Modified
2024-09-25 17:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
Cross-Site Request Forgery (CSRF) vulnerability in RadiusTheme Classified Listing plugin <= 2.4.5 versions.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RadiusTheme | Classified Listing |
Version: n/a < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:09:34.074Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/classified-listing/wordpress-classified-listing-plugin-2-4-5-cross-site-request-forgery-csrf-leading-to-thumbnail-removal-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-37387",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T16:35:16.984070Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T17:01:58.603Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "classified-listing",
"product": "Classified Listing",
"vendor": "RadiusTheme",
"versions": [
{
"changes": [
{
"at": "2.4.6",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.4.5",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Lana Codes (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in RadiusTheme Classified Listing plugin \u0026lt;=\u003cspan style=\"background-color: var(--wht);\"\u003e\u0026nbsp;2.4.5 versions.\u003c/span\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in RadiusTheme Classified Listing plugin \u003c=\u00a02.4.5 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-18T12:14:15.680Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/classified-listing/wordpress-classified-listing-plugin-2-4-5-cross-site-request-forgery-csrf-leading-to-thumbnail-removal-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u0026nbsp;2.4.6 or a higher version."
}
],
"value": "Update to\u00a02.4.6 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Classified Listing Plugin \u003c= 2.4.5 is vulnerable to Cross Site Request Forgery (CSRF)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-37387",
"datePublished": "2023-07-18T12:14:15.680Z",
"dateReserved": "2023-07-05T11:22:04.822Z",
"dateUpdated": "2024-09-25T17:01:58.603Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-3893 (GCVE-0-2024-3893)
Vulnerability from cvelistv5
Published
2024-04-25 07:33
Modified
2024-08-01 20:26
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the rtcl_fb_gallery_image_delete AJAX action in all versions up to, and including, 3.0.10.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary attachements.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| techlabpro1 | Classified Listing – Classified ads & Business Directory Plugin |
Version: * ≤ 3.0.10.3 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:techlabpro1:classified_listing_plugin:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "classified_listing_plugin",
"vendor": "techlabpro1",
"versions": [
{
"status": "affected",
"version": "*"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3893",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-25T16:26:27.283994Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:31:45.354Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:26:57.110Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e7113b1c-78dc-4648-b14a-52ff6668fd1d?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3073754/classified-listing/trunk/app/Controllers/Ajax/FormBuilderAjax.php"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Classified Listing \u2013 Classified ads \u0026 Business Directory Plugin",
"vendor": "techlabpro1",
"versions": [
{
"lessThanOrEqual": "3.0.10.3",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Classified Listing \u2013 Classified ads \u0026 Business Directory Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the rtcl_fb_gallery_image_delete AJAX action in all versions up to, and including, 3.0.10.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary attachements."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-862 Missing Authorization",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-25T07:33:59.902Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e7113b1c-78dc-4648-b14a-52ff6668fd1d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3073754/classified-listing/trunk/app/Controllers/Ajax/FormBuilderAjax.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-04-24T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-3893",
"datePublished": "2024-04-25T07:33:59.902Z",
"dateReserved": "2024-04-16T17:36:20.477Z",
"dateUpdated": "2024-08-01T20:26:57.110Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1352 (GCVE-0-2024-1352)
Vulnerability from cvelistv5
Published
2024-04-09 18:59
Modified
2024-08-08 19:18
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access & modification of data due to a missing capability check on the rtcl_import_location() rtcl_import_category() functions in all versions up to, and including, 3.0.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to create terms.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| techlabpro1 | Classified Listing – Classified ads & Business Directory Plugin |
Version: * ≤ 3.0.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:33:25.618Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f5da4cdd-15c7-41a6-be2f-e31bd407ae05?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/classified-listing/trunk/app/Controllers/Ajax/Import.php?rev=2824166"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/classified-listing/trunk/app/Controllers/Ajax/Import.php?rev=3061893"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:techlabpro1:classified_listing_plugin:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "classified_listing_plugin",
"vendor": "techlabpro1",
"versions": [
{
"lessThanOrEqual": "3.0.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1352",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-10T19:07:33.299678Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-08T19:18:16.659Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Classified Listing \u2013 Classified ads \u0026 Business Directory Plugin",
"vendor": "techlabpro1",
"versions": [
{
"lessThanOrEqual": "3.0.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Francesco Carlucci"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Classified Listing \u2013 Classified ads \u0026 Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access \u0026 modification of data due to a missing capability check on the rtcl_import_location() rtcl_import_category() functions in all versions up to, and including, 3.0.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to create terms."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-862 Missing Authorization",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-09T18:59:33.826Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f5da4cdd-15c7-41a6-be2f-e31bd407ae05?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/classified-listing/trunk/app/Controllers/Ajax/Import.php?rev=2824166"
},
{
"url": "https://plugins.trac.wordpress.org/browser/classified-listing/trunk/app/Controllers/Ajax/Import.php?rev=3061893"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-04-04T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-1352",
"datePublished": "2024-04-09T18:59:33.826Z",
"dateReserved": "2024-02-08T17:54:27.266Z",
"dateUpdated": "2024-08-08T19:18:16.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2655 (GCVE-0-2022-2655)
Vulnerability from cvelistv5
Published
2022-09-16 08:40
Modified
2024-08-03 00:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross-Site Scripting (XSS)
Summary
The Classified Listing Pro WordPress plugin before 2.0.20 does not escape a generated URL before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/acc9675a-56f6-411a-9594-07144c2aad1b | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Classified Listing Pro - Classified ads & Business Directory Plugin |
Version: 2.0.20 < 2.0.20 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:46:03.372Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/acc9675a-56f6-411a-9594-07144c2aad1b"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Classified Listing Pro - Classified ads \u0026 Business Directory Plugin",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.0.20",
"status": "affected",
"version": "2.0.20",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Team ISH Tecnologia (Thiago Martins"
},
{
"lang": "en",
"value": "Jorge Buzeti"
},
{
"lang": "en",
"value": "Leandro Inacio"
},
{
"lang": "en",
"value": "Lucas de Souza"
},
{
"lang": "en",
"value": "Matheus Oliveira"
},
{
"lang": "en",
"value": "Filipe Baptistella"
},
{
"lang": "en",
"value": "Leonardo Paiva"
},
{
"lang": "en",
"value": "Jose Thomaz"
},
{
"lang": "en",
"value": "Joao Maciel"
},
{
"lang": "en",
"value": "Vinicius Pereira"
},
{
"lang": "en",
"value": "Geovanni Campos"
},
{
"lang": "en",
"value": "Hudson Nowak"
},
{
"lang": "en",
"value": "Guilherme Acerbi) and Islan Ferreira."
}
],
"descriptions": [
{
"lang": "en",
"value": "The Classified Listing Pro WordPress plugin before 2.0.20 does not escape a generated URL before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-Site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-16T08:40:31",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/acc9675a-56f6-411a-9594-07144c2aad1b"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Classified Listing Pro \u003c 2.0.20 - Reflected Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-2655",
"STATE": "PUBLIC",
"TITLE": "Classified Listing Pro \u003c 2.0.20 - Reflected Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Classified Listing Pro - Classified ads \u0026 Business Directory Plugin",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.0.20",
"version_value": "2.0.20"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Team ISH Tecnologia (Thiago Martins"
},
{
"lang": "eng",
"value": "Jorge Buzeti"
},
{
"lang": "eng",
"value": "Leandro Inacio"
},
{
"lang": "eng",
"value": "Lucas de Souza"
},
{
"lang": "eng",
"value": "Matheus Oliveira"
},
{
"lang": "eng",
"value": "Filipe Baptistella"
},
{
"lang": "eng",
"value": "Leonardo Paiva"
},
{
"lang": "eng",
"value": "Jose Thomaz"
},
{
"lang": "eng",
"value": "Joao Maciel"
},
{
"lang": "eng",
"value": "Vinicius Pereira"
},
{
"lang": "eng",
"value": "Geovanni Campos"
},
{
"lang": "eng",
"value": "Hudson Nowak"
},
{
"lang": "eng",
"value": "Guilherme Acerbi) and Islan Ferreira."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Classified Listing Pro WordPress plugin before 2.0.20 does not escape a generated URL before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/acc9675a-56f6-411a-9594-07144c2aad1b",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/acc9675a-56f6-411a-9594-07144c2aad1b"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-2655",
"datePublished": "2022-09-16T08:40:31",
"dateReserved": "2022-08-04T00:00:00",
"dateUpdated": "2024-08-03T00:46:03.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1315 (GCVE-0-2024-1315)
Vulnerability from cvelistv5
Published
2024-04-09 18:58
Modified
2024-08-01 18:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.4. This is due to missing or incorrect nonce validation on the 'rtcl_update_user_account' function. This makes it possible for unauthenticated attackers to change the administrator user's password and email address via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This locks the administrator out of the site and prevents them from resetting their password, while granting the attacker access to their account.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| techlabpro1 | Classified Listing – Classified ads & Business Directory Plugin |
Version: * ≤ 3.0.4 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1315",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-08T15:58:12.303907Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T18:00:14.709Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:33:25.419Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5439651e-5557-4b13-813a-4fc0ad876104?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/classified-listing/tags/3.0.1/app/Controllers/Ajax/PublicUser.php#L445"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/classified-listing/tags/3.0.5/app/Controllers/Ajax/PublicUser.php#L445"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Classified Listing \u2013 Classified ads \u0026 Business Directory Plugin",
"vendor": "techlabpro1",
"versions": [
{
"lessThanOrEqual": "3.0.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Francesco Carlucci"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Classified Listing \u2013 Classified ads \u0026 Business Directory Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.4. This is due to missing or incorrect nonce validation on the \u0027rtcl_update_user_account\u0027 function. This makes it possible for unauthenticated attackers to change the administrator user\u0027s password and email address via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This locks the administrator out of the site and prevents them from resetting their password, while granting the attacker access to their account."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-09T18:58:48.332Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5439651e-5557-4b13-813a-4fc0ad876104?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/classified-listing/tags/3.0.1/app/Controllers/Ajax/PublicUser.php#L445"
},
{
"url": "https://plugins.trac.wordpress.org/browser/classified-listing/tags/3.0.5/app/Controllers/Ajax/PublicUser.php#L445"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-04-04T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-1315",
"datePublished": "2024-04-09T18:58:48.332Z",
"dateReserved": "2024-02-07T15:35:02.282Z",
"dateUpdated": "2024-08-01T18:33:25.419Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}