Skip to main content

Elated Listing CVE-2026-24972

| EUVDEUVD-2026-15584 MEDIUM
Missing Authorization (CWE-862)
2026-03-25 Patchstack GHSA-5x6q-2pcp-57xv
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15584
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
MEDIUM 6.5

DescriptionCVE.org

Missing Authorization vulnerability in Elated-Themes Elated Listing eltd-listing allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Elated Listing: from n/a through <= 1.4.

AnalysisAI

Elated Listing through version 1.4 contains an authorization bypass that allows authenticated users to modify data they should not have access to due to improperly configured access controls. An attacker with valid credentials can exploit this missing authorization check to perform unauthorized modifications, though they cannot access sensitive information or disrupt system availability. No patch is currently available for this medium-severity vulnerability.

Technical ContextAI

The vulnerability affects the Elated Listing WordPress plugin (CPE: cpe:2.3:a:elated-themes:elated_listing:*:*:*:*:*:*:*:*), which is a content listing and management component for WordPress websites. The root cause is classified under CWE-862 (Missing Authorization), which describes scenarios where an application fails to properly enforce access control restrictions before allowing users to access protected resources or perform sensitive operations. In the context of WordPress plugins, this typically manifests as inadequate capability checks (using functions like current_user_can()) or missing nonce verification on AJAX endpoints and form submissions. The plugin's access control mechanisms are not properly validating user roles and permissions before executing critical functions, allowing bypassing of intended security boundaries.

RemediationAI

Immediately upgrade Elated Listing to a version greater than 1.4 that includes the authorization fixes. Site administrators should first verify their current plugin version through the WordPress admin dashboard (Plugins > Installed Plugins) and apply the latest available update from the official Elated-Themes repository. If no patched version is immediately available, implement temporary mitigations by restricting plugin functionality through WordPress user role management, disabling the affected plugin features via code if possible, and implementing Web Application Firewall (WAF) rules to detect and block unauthorized access attempts to the plugin's endpoints. Monitor Patchstack and the official Elated-Themes security channels for patch availability, and test any updates in a staging environment before production deployment.

Share

CVE-2026-24972 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy