Skip to main content

Classified Listing EUVDEUVD-2026-41354

| CVE-2026-57355 MEDIUM
Missing Authorization (CWE-862)
2026-07-02 Patchstack GHSA-h46g-h6w4-h868
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
6.5 MEDIUM

Network-exploitable with low complexity; PR:L reflects mandatory subscriber authentication; I:H for unauthorized data modification; no confidentiality or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:35 vuln.today

DescriptionCVE.org

Subscriber Broken Access Control in Classified Listing <= 5.4.2 versions.

AnalysisAI

Broken access control in the Classified Listing WordPress plugin (versions <= 5.4.2) allows subscriber-level authenticated users to perform privileged actions they should not be authorized to execute, resulting in high integrity impact. The vulnerability stems from missing authorization checks (CWE-862) on one or more plugin endpoints or AJAX handlers, enabling low-privilege WordPress users to manipulate listing data, settings, or administrative functions beyond their intended role. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register subscriber account on target site
Delivery
Identify unprotected plugin AJAX/REST endpoint
Exploit
Send crafted authorized-action request as subscriber
Execution
Bypass missing capability check (CWE-862)
Impact
Perform unauthorized data modification (high integrity impact)

Vulnerability AssessmentAI

Exploitation The attacker must hold a subscriber-level (or higher) WordPress account on the target site. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS base score of 6.5 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N reflects a remotely exploitable, low-complexity flaw requiring only a subscriber account, which aligns with the 'Subscriber Broken Access Control' classification. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free subscriber account on a WordPress site running Classified Listing <= 5.4.2 with open user registration enabled. Using their low-privilege session, they send a crafted HTTP request (likely a WordPress AJAX call or REST API request) to a plugin endpoint that lacks proper authorization checks, performing an action reserved for editors or administrators - such as publishing, modifying, or deleting listings owned by other users, or altering plugin configuration. …
Remediation The primary fix is to update the Classified Listing plugin to the version released after 5.4.2, which should include the missing authorization checks. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2022-2655 MEDIUM POC
6.1 Sep 16

The Classified Listing Pro WordPress plugin before 2.0.20 does not escape a generated URL before outputting it back in a

CVE-2022-2654 MEDIUM POC
6.1 Sep 16

The Classima WordPress theme before 2.1.11 and some of its required plugins (Classified Listing before 2.2.14, Classifie

CVE-2024-1315 HIGH
8.8 Apr 09

The Classified Listing - Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to Cross-Site Req

CVE-2023-37387 HIGH
8.8 Jul 18

Cross-Site Request Forgery (CSRF) vulnerability in RadiusTheme Classified Listing plugin <= 2.4.5 versions. Rated high s

CVE-2026-57344 HIGH
7.1 Jul 02

Cross-site scripting in the Classified Listing WordPress plugin (by RadiusTheme) versions 5.4.2 and earlier lets a remot

CVE-2026-42658 HIGH
7.1 Jun 15

Unauthenticated reflected/stored Cross-Site Scripting in the Classified Listing WordPress plugin versions 5.3.8 and earl

CVE-2024-1352 MEDIUM
6.5 Apr 09

The Classified Listing - Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized a

CVE-2026-42640 MEDIUM
6.5 Jun 15

Broken Access Control in the Classified Listing WordPress plugin (versions ≤ 5.3.8) allows unauthenticated remote attack

CVE-2026-42679 MEDIUM
6.5 Jun 01

Path traversal in the Classified Listing WordPress plugin (versions through 5.3.8) enables authenticated low-privileged

CVE-2026-42651 MEDIUM
6.3 Jun 15

Broken access control in the Classified Listing WordPress plugin (versions ≤ 5.3.9) allows subscriber-level authenticate

CVE-2025-1063 MEDIUM
5.3 Feb 25

The Classified Listing - Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to Sensitive Info

CVE-2024-3893 MEDIUM
4.3 Apr 25

The Classified Listing - Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized l

Share

EUVD-2026-41354 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy