Cross-Site Request Forgery Vulnerability in Classified Ads Plugin for WordPress
CVE-2024-1315

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Classified Listing – Classified Ads & Business Directory Plugin
Vendor: CVE Published:; 9 April 2024

Summary

The Classified Listing – Classified ads & Business Directory Plugin for WordPress has a vulnerability that exposes it to Cross-Site Request Forgery (CSRF). In all versions leading up to and including 3.0.4, the absence of proper nonce validation within the 'rtcl_update_user_account' function creates a security loophole. This flaw may allow attackers to craft forged requests that manipulate administrator account details, such as changing passwords and email addresses, once they successfully deceive a site administrator into triggering the action. Consequently, administrators may find themselves locked out of their accounts without the ability to regain access via traditional reset methods, while malicious actors gain control over critical site functionalities.

Affected Version(s)

Classified Listing – Classified ads & Business Directory Plugin * <= 3.0.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/classified-lis...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Apr 9, 2024
Vulnerability Reserved
Feb 7, 2024

Credit

Francesco Carlucci