Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Network-reachable AJAX endpoint; PR:L because subscriber-level session required; I:L only since impact is limited to listing image modification with no confidentiality or availability consequence.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Classified Listing - Classified ads & Business Directory plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.4.2. This is due to a missing capability/ownership check on the gallery_image_update_as_feature AJAX handler (action: rtcl_fb_gallery_image_update_as_feature), which accepts a user-supplied listing ID and attachment ID and sets the featured image of a listing while only validating a nonce that is exposed to any logged-in user on the frontend listing-submission form. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the featured image of arbitrary listings they do not own.
AnalysisAI
Missing authorization in the Classified Listing WordPress plugin (versions through 5.4.2) allows authenticated attackers with Subscriber-level accounts to overwrite the featured image of any listing on the site, regardless of ownership. The vulnerability originates in the rtcl_fb_gallery_image_update_as_feature AJAX handler, which accepts arbitrary user-supplied listing IDs and attachment IDs while relying solely on a nonce that is freely accessible to all logged-in frontend users - providing no meaningful access barrier for low-privilege accounts. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid WordPress account with at minimum Subscriber-level role on the target site - unauthenticated exploitation is not possible because a nonce tied to a logged-in session is required. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 4.3 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N accurately captures the limited blast radius of this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or obtains a Subscriber-level account on a WordPress site running the Classified Listing plugin through version 5.4.2, then navigates to the frontend listing-submission form to harvest a valid nonce. The attacker then crafts a POST request to the WordPress AJAX endpoint (wp-admin/admin-ajax.php) targeting action=rtcl_fb_gallery_image_update_as_feature with a victim-owned listing ID and a chosen image attachment ID, successfully reassigning the featured image of the victim's listing without any ownership check. … |
| Remediation | WordPress site administrators should update the Classified Listing plugin to the version immediately following 5.4.2 as released by TechlabPro1 via the WordPress.org plugin repository (https://wordpress.org/plugins/classified-listing/). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37978
GHSA-h883-4576-v3x4