Skip to main content

Classified Listing CVE-2026-42679

| EUVDEUVD-2026-33683 MEDIUM
Path Traversal (CWE-22)
2026-06-01 Patchstack GHSA-8pf8-7vpw-x352
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 01, 2026 - 17:21 vuln.today

DescriptionCVE.org

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Mamunur Rashid Classified Listing allows Path Traversal.

This issue affects Classified Listing: from n/a through 5.3.8.

AnalysisAI

Path traversal in the Classified Listing WordPress plugin (versions through 5.3.8) enables authenticated low-privileged users to download arbitrary files from the server filesystem. The vulnerability, reported by Patchstack as an arbitrary file download flaw, exposes full confidentiality impact (C:H) with no integrity or availability consequence, meaning attackers can exfiltrate sensitive server files - including wp-config.php, credentials, or private data - but cannot modify or destroy them. No active exploitation is confirmed and no public exploit code has been identified at time of analysis.

Technical ContextAI

The affected component is the Classified Listing plugin for WordPress, authored by Mamunur Rashid, identified via CPE cpe:2.3:a:mamunur_rashid:classified_listing:*:*:*:*:*:*:*:* covering all versions through 5.3.8. CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) indicates the plugin fails to sanitize user-supplied path input before using it to construct a file access operation - a classic directory traversal pattern. In WordPress plugin context, this typically manifests in a file download or export endpoint where a filename or path parameter is not validated against a permitted base directory, allowing sequences such as '../../../' to escape the intended directory scope. The CVSS vector AV:N/AC:L/PR:L/UI:N confirms the flaw is reachable over the network with low complexity and requires only a low-privilege authenticated session.

RemediationAI

The primary remediation is to update the Classified Listing plugin to a version beyond 5.3.8; however, an exact patched release version is not confirmed in the available data - consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/classified-listing/vulnerability/wordpress-classified-listing-plugin-5-3-8-arbitrary-file-download-vulnerability) and the WordPress plugin repository for the latest release. As a compensating control pending an update, administrators should restrict plugin access by limiting user registration or removing low-privilege roles that can invoke the vulnerable file download functionality. Additionally, a web application firewall rule blocking path traversal patterns (e.g., '../' sequences) in query parameters targeting the plugin's endpoints can reduce exploitability, though this may affect legitimate functionality. Monitoring access logs for traversal sequences in file-related plugin requests is advisable for detection.

CVE-2022-2655 MEDIUM POC
6.1 Sep 16

The Classified Listing Pro WordPress plugin before 2.0.20 does not escape a generated URL before outputting it back in a

CVE-2022-2654 MEDIUM POC
6.1 Sep 16

The Classima WordPress theme before 2.1.11 and some of its required plugins (Classified Listing before 2.2.14, Classifie

CVE-2024-1315 HIGH
8.8 Apr 09

The Classified Listing - Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to Cross-Site Req

CVE-2023-37387 HIGH
8.8 Jul 18

Cross-Site Request Forgery (CSRF) vulnerability in RadiusTheme Classified Listing plugin <= 2.4.5 versions. Rated high s

CVE-2026-57344 HIGH
7.1 Jul 02

Cross-site scripting in the Classified Listing WordPress plugin (by RadiusTheme) versions 5.4.2 and earlier lets a remot

CVE-2026-42658 HIGH
7.1 Jun 15

Unauthenticated reflected/stored Cross-Site Scripting in the Classified Listing WordPress plugin versions 5.3.8 and earl

CVE-2024-1352 MEDIUM
6.5 Apr 09

The Classified Listing - Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized a

CVE-2026-57355 MEDIUM
6.5 Jul 02

Broken access control in the Classified Listing WordPress plugin (versions <= 5.4.2) allows subscriber-level authenticat

CVE-2026-42640 MEDIUM
6.5 Jun 15

Broken Access Control in the Classified Listing WordPress plugin (versions ≤ 5.3.8) allows unauthenticated remote attack

CVE-2026-42651 MEDIUM
6.3 Jun 15

Broken access control in the Classified Listing WordPress plugin (versions ≤ 5.3.9) allows subscriber-level authenticate

CVE-2025-1063 MEDIUM
5.3 Feb 25

The Classified Listing - Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to Sensitive Info

CVE-2024-3893 MEDIUM
4.3 Apr 25

The Classified Listing - Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized l

Share

CVE-2026-42679 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy