Classified Listing
Monthly
Broken access control in the Classified Listing WordPress plugin (versions <= 5.4.2) allows subscriber-level authenticated users to perform privileged actions they should not be authorized to execute, resulting in high integrity impact. The vulnerability stems from missing authorization checks (CWE-862) on one or more plugin endpoints or AJAX handlers, enabling low-privilege WordPress users to manipulate listing data, settings, or administrative functions beyond their intended role. No public exploit code or CISA KEV listing has been identified at time of analysis, though the low attack complexity and network accessibility make this a realistic threat on any affected WordPress installation.
Cross-site scripting in the Classified Listing WordPress plugin (by RadiusTheme) versions 5.4.2 and earlier lets a remote, unauthenticated attacker inject malicious script that executes in a victim's browser when they interact with a crafted link or page. Reported by Patchstack and rated CVSS 7.1, the flaw carries a scope change (S:C) meaning the injected script can act beyond the vulnerable component into the wider browsing context. There is no public exploit identified at time of analysis and no active exploitation reported.
Unauthenticated reflected/stored Cross-Site Scripting in the Classified Listing WordPress plugin versions 5.3.8 and earlier allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser after user interaction. The flaw was reported by Patchstack and carries CVSS 7.1 due to the scope change affecting the broader WordPress site context, though no public exploit identified at time of analysis. Risk is elevated for sites running the plugin in publicly accessible classified/marketplace deployments where untrusted visitor input is processed.
Broken access control in the Classified Listing WordPress plugin (versions ≤ 5.3.9) allows subscriber-level authenticated users to perform actions that should be restricted to higher-privileged roles, yielding partial confidentiality, integrity, and availability impact. Reported by Patchstack and tracked under ENISA EUVD-2026-36819, the flaw stems from missing authorization checks (CWE-862) within plugin functionality accessible to the lowest default WordPress user role. No public exploit identified at time of analysis, and this vulnerability has not been added to the CISA KEV catalog.
Broken Access Control in the Classified Listing WordPress plugin (versions ≤ 5.3.8) allows unauthenticated remote attackers to bypass authorization checks, enabling limited read and write access to plugin-managed listing data without any credentials. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) confirms the flaw is network-exploitable against any internet-exposed WordPress installation running the affected plugin with no authentication or user interaction required. No public exploit code or CISA KEV listing has been identified at time of analysis.
Path traversal in the Classified Listing WordPress plugin (versions through 5.3.8) enables authenticated low-privileged users to download arbitrary files from the server filesystem. The vulnerability, reported by Patchstack as an arbitrary file download flaw, exposes full confidentiality impact (C:H) with no integrity or availability consequence, meaning attackers can exfiltrate sensitive server files - including wp-config.php, credentials, or private data - but cannot modify or destroy them. No active exploitation is confirmed and no public exploit code has been identified at time of analysis.
The Classified Listing - Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.4 via the. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.
The Classified Listing - Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions like. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.
The Classified Listing - Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.
The Classified Listing - Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access & modification of data due to a missing capability check on the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Classified Listing - Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cross-Site Request Forgery (CSRF) vulnerability in RadiusTheme Classified Listing plugin <= 2.4.5 versions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Classified Listing Pro WordPress plugin before 2.0.20 does not escape a generated URL before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The Classima WordPress theme before 2.1.11 and some of its required plugins (Classified Listing before 2.2.14, Classified Listing Pro before 2.0.20, Classified Listing Store & Membership before. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Broken access control in the Classified Listing WordPress plugin (versions <= 5.4.2) allows subscriber-level authenticated users to perform privileged actions they should not be authorized to execute, resulting in high integrity impact. The vulnerability stems from missing authorization checks (CWE-862) on one or more plugin endpoints or AJAX handlers, enabling low-privilege WordPress users to manipulate listing data, settings, or administrative functions beyond their intended role. No public exploit code or CISA KEV listing has been identified at time of analysis, though the low attack complexity and network accessibility make this a realistic threat on any affected WordPress installation.
Cross-site scripting in the Classified Listing WordPress plugin (by RadiusTheme) versions 5.4.2 and earlier lets a remote, unauthenticated attacker inject malicious script that executes in a victim's browser when they interact with a crafted link or page. Reported by Patchstack and rated CVSS 7.1, the flaw carries a scope change (S:C) meaning the injected script can act beyond the vulnerable component into the wider browsing context. There is no public exploit identified at time of analysis and no active exploitation reported.
Unauthenticated reflected/stored Cross-Site Scripting in the Classified Listing WordPress plugin versions 5.3.8 and earlier allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser after user interaction. The flaw was reported by Patchstack and carries CVSS 7.1 due to the scope change affecting the broader WordPress site context, though no public exploit identified at time of analysis. Risk is elevated for sites running the plugin in publicly accessible classified/marketplace deployments where untrusted visitor input is processed.
Broken access control in the Classified Listing WordPress plugin (versions ≤ 5.3.9) allows subscriber-level authenticated users to perform actions that should be restricted to higher-privileged roles, yielding partial confidentiality, integrity, and availability impact. Reported by Patchstack and tracked under ENISA EUVD-2026-36819, the flaw stems from missing authorization checks (CWE-862) within plugin functionality accessible to the lowest default WordPress user role. No public exploit identified at time of analysis, and this vulnerability has not been added to the CISA KEV catalog.
Broken Access Control in the Classified Listing WordPress plugin (versions ≤ 5.3.8) allows unauthenticated remote attackers to bypass authorization checks, enabling limited read and write access to plugin-managed listing data without any credentials. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) confirms the flaw is network-exploitable against any internet-exposed WordPress installation running the affected plugin with no authentication or user interaction required. No public exploit code or CISA KEV listing has been identified at time of analysis.
Path traversal in the Classified Listing WordPress plugin (versions through 5.3.8) enables authenticated low-privileged users to download arbitrary files from the server filesystem. The vulnerability, reported by Patchstack as an arbitrary file download flaw, exposes full confidentiality impact (C:H) with no integrity or availability consequence, meaning attackers can exfiltrate sensitive server files - including wp-config.php, credentials, or private data - but cannot modify or destroy them. No active exploitation is confirmed and no public exploit code has been identified at time of analysis.
The Classified Listing - Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.4 via the. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.
The Classified Listing - Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions like. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.
The Classified Listing - Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.
The Classified Listing - Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access & modification of data due to a missing capability check on the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Classified Listing - Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cross-Site Request Forgery (CSRF) vulnerability in RadiusTheme Classified Listing plugin <= 2.4.5 versions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Classified Listing Pro WordPress plugin before 2.0.20 does not escape a generated URL before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The Classima WordPress theme before 2.1.11 and some of its required plugins (Classified Listing before 2.2.14, Classified Listing Pro before 2.0.20, Classified Listing Store & Membership before. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.