Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in Elated-Themes Elated Listing eltd-listing allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Elated Listing: from n/a through <= 1.4.
AnalysisAI
Elated Listing through version 1.4 contains an authorization bypass that allows authenticated users to modify data they should not have access to due to improperly configured access controls. An attacker with valid credentials can exploit this missing authorization check to perform unauthorized modifications, though they cannot access sensitive information or disrupt system availability. No patch is currently available for this medium-severity vulnerability.
Technical ContextAI
The vulnerability affects the Elated Listing WordPress plugin (CPE: cpe:2.3:a:elated-themes:elated_listing:*:*:*:*:*:*:*:*), which is a content listing and management component for WordPress websites. The root cause is classified under CWE-862 (Missing Authorization), which describes scenarios where an application fails to properly enforce access control restrictions before allowing users to access protected resources or perform sensitive operations. In the context of WordPress plugins, this typically manifests as inadequate capability checks (using functions like current_user_can()) or missing nonce verification on AJAX endpoints and form submissions. The plugin's access control mechanisms are not properly validating user roles and permissions before executing critical functions, allowing bypassing of intended security boundaries.
RemediationAI
Immediately upgrade Elated Listing to a version greater than 1.4 that includes the authorization fixes. Site administrators should first verify their current plugin version through the WordPress admin dashboard (Plugins > Installed Plugins) and apply the latest available update from the official Elated-Themes repository. If no patched version is immediately available, implement temporary mitigations by restricting plugin functionality through WordPress user role management, disabling the affected plugin features via code if possible, and implementing Web Application Firewall (WAF) rules to detect and block unauthorized access attempts to the plugin's endpoints. Monitor Patchstack and the official Elated-Themes security channels for patch availability, and test any updates in a staging environment before production deployment.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15584
GHSA-5x6q-2pcp-57xv