Description
Cross-Site Request Forgery (CSRF) vulnerability in pluginsware Advanced Classifieds & Directory Pro advanced-classifieds-and-directory-pro allows Cross Site Request Forgery.This issue affects Advanced Classifieds & Directory Pro: from n/a through <= 3.2.9.
Published: 2025-12-24
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a cross‑site request forgery flaw in the Advanced Classifieds & Directory Pro plugin that allows an attacker to submit forged requests on behalf of a logged‑in user. Without proper nonce validation, an attacker can trigger any state‑changing operation that the user is authorized to perform, such as editing listings, managing categories, or changing plugin settings. This can lead to unauthorized data modifications and potential loss of data integrity (CWE‑352).

Affected Systems

WordPress sites that use pluginsware Advanced Classifieds & Directory Pro plugin any version up to and including 3.2.9 are affected.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate risk; the EPSS score of less than 1% suggests low exploit probability in the wild, and the vulnerability is not currently listed in the CISA KEV catalog. Exploitation would require an attacker to craft a malicious link or form that the user visits while authenticated. Because the flaw allows state changes through standard HTTP requests, an attacker can trigger arbitrary actions provided the user has the necessary privileges.

Generated by OpenCVE AI on April 30, 2026 at 04:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Advanced Classifieds & Directory Pro plugin to the latest released version once a patch is available to remove the flaw.
  • Verify that any custom forms or actions within the plugin enforce WordPress nonce checks to protect against CSRF.
  • Restrict administrative access to trusted users and enable multi‑factor authentication to reduce the risk that a logged‑in user will unknowingly execute malicious requests.
  • Deploy a site‑wide CSRF protection mechanism (e.g., a security plugin that automatically adds nonce tags to forms) to provide an additional layer of defense.

Generated by OpenCVE AI on April 30, 2026 at 04:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 29 Dec 2025 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Pluginsware
Pluginsware advanced Classifieds & Directory Pro
Wordpress
Wordpress wordpress
Vendors & Products Pluginsware
Pluginsware advanced Classifieds & Directory Pro
Wordpress
Wordpress wordpress

Wed, 24 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 24 Dec 2025 13:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in pluginsware Advanced Classifieds & Directory Pro advanced-classifieds-and-directory-pro allows Cross Site Request Forgery.This issue affects Advanced Classifieds & Directory Pro: from n/a through <= 3.2.9.
Title WordPress Advanced Classifieds & Directory Pro plugin <= 3.2.9 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References

Subscriptions

Pluginsware Advanced Classifieds & Directory Pro
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:30.690Z

Reserved: 2025-12-19T10:17:34.322Z

Link: CVE-2025-68580

cve-icon Vulnrichment

Updated: 2025-12-24T18:50:08.519Z

cve-icon NVD

Status : Deferred

Published: 2025-12-24T13:16:25.140

Modified: 2026-04-27T19:16:33.050

Link: CVE-2025-68580

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T04:45:06Z

Weaknesses