Skip to main content

Classified Listing Ai Powered Classified Ads Business Directory

1 CVEs product

Monthly

CVE-2026-10779 MEDIUM This Month

Missing authorization in the Classified Listing WordPress plugin (versions through 5.4.2) allows authenticated attackers with Subscriber-level accounts to overwrite the featured image of any listing on the site, regardless of ownership. The vulnerability originates in the rtcl_fb_gallery_image_update_as_feature AJAX handler, which accepts arbitrary user-supplied listing IDs and attachment IDs while relying solely on a nonce that is freely accessible to all logged-in frontend users - providing no meaningful access barrier for low-privilege accounts. No public exploit code has been identified at time of analysis, and this vulnerability does not appear in CISA KEV.

Authentication Bypass WordPress Classified Listing Ai Powered Classified Ads Business Directory
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
EPSS 0% CVSS 4.3
MEDIUM This Month

Missing authorization in the Classified Listing WordPress plugin (versions through 5.4.2) allows authenticated attackers with Subscriber-level accounts to overwrite the featured image of any listing on the site, regardless of ownership. The vulnerability originates in the rtcl_fb_gallery_image_update_as_feature AJAX handler, which accepts arbitrary user-supplied listing IDs and attachment IDs while relying solely on a nonce that is freely accessible to all logged-in frontend users - providing no meaningful access barrier for low-privilege accounts. No public exploit code has been identified at time of analysis, and this vulnerability does not appear in CISA KEV.

Authentication Bypass WordPress Classified Listing Ai Powered Classified Ads Business Directory
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy