Skip to main content

Classified Listing EUVDEUVD-2026-37978

| CVE-2026-10779 MEDIUM
Missing Authorization (CWE-862)
2026-06-19 Wordfence GHSA-h883-4576-v3x4
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Network-reachable AJAX endpoint; PR:L because subscriber-level session required; I:L only since impact is limited to listing image modification with no confidentiality or availability consequence.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 19, 2026 - 04:47 vuln.today
CVE Published
Jun 19, 2026 - 03:41 cve.org
MEDIUM 4.3

DescriptionCVE.org

The Classified Listing - Classified ads & Business Directory plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.4.2. This is due to a missing capability/ownership check on the gallery_image_update_as_feature AJAX handler (action: rtcl_fb_gallery_image_update_as_feature), which accepts a user-supplied listing ID and attachment ID and sets the featured image of a listing while only validating a nonce that is exposed to any logged-in user on the frontend listing-submission form. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the featured image of arbitrary listings they do not own.

AnalysisAI

Missing authorization in the Classified Listing WordPress plugin (versions through 5.4.2) allows authenticated attackers with Subscriber-level accounts to overwrite the featured image of any listing on the site, regardless of ownership. The vulnerability originates in the rtcl_fb_gallery_image_update_as_feature AJAX handler, which accepts arbitrary user-supplied listing IDs and attachment IDs while relying solely on a nonce that is freely accessible to all logged-in frontend users - providing no meaningful access barrier for low-privilege accounts. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or obtain Subscriber-level account
Delivery
Load frontend listing-submission form to extract valid nonce
Exploit
Identify target listing ID (via site enumeration)
Execution
Craft POST to wp-admin/admin-ajax.php with action=rtcl_fb_gallery_image_update_as_feature
Persist
Submit arbitrary listing ID and attachment ID
Impact
Featured image of victim listing overwritten

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid WordPress account with at minimum Subscriber-level role on the target site - unauthenticated exploitation is not possible because a nonce tied to a logged-in session is required. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 4.3 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N accurately captures the limited blast radius of this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or obtains a Subscriber-level account on a WordPress site running the Classified Listing plugin through version 5.4.2, then navigates to the frontend listing-submission form to harvest a valid nonce. The attacker then crafts a POST request to the WordPress AJAX endpoint (wp-admin/admin-ajax.php) targeting action=rtcl_fb_gallery_image_update_as_feature with a victim-owned listing ID and a chosen image attachment ID, successfully reassigning the featured image of the victim's listing without any ownership check. …
Remediation WordPress site administrators should update the Classified Listing plugin to the version immediately following 5.4.2 as released by TechlabPro1 via the WordPress.org plugin repository (https://wordpress.org/plugins/classified-listing/). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37978 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy