CVE-2026-10779 - Vulnerability Details

Description

The Classified Listing – Classified ads & Business Directory plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.4.2. This is due to a missing capability/ownership check on the gallery_image_update_as_feature AJAX handler (action: rtcl_fb_gallery_image_update_as_feature), which accepts a user-supplied listing ID and attachment ID and sets the featured image of a listing while only validating a nonce that is exposed to any logged-in user on the frontend listing-submission form. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the featured image of arbitrary listings they do not own.

Published: 2026-06-19

Score: 4.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Classified Listing plugin exposes an AJAX handler that allows any authenticated user with Subscriber-level access or higher to set the featured image of any listing, regardless of ownership. The handler accepts user-supplied listing and attachment identifiers and relies only on a nonce that is publicly available in the front‑end submission form. This omission of an ownership or capability check means an attacker can arbitrarily change the featured image for listings they do not own, potentially defacing content or misleading users. The weakness is a classic missing authorization flaw, identified as CWE‑862.

Affected Systems

Any WordPress site running the Classified Listing plugin version 5.4.2 or earlier, deployed by the vendor techlabpro1, is affected. The vulnerability exists in all releases up to and including 5.4.2; newer releases are not impacted.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate impact with limited damage potential, but the attack requires only basic login credentials and the ability to access the front‑end listing submission form. No exploitation proof code is required as the flaw relies on normal AJAX interactions. EPSS is not available and the vulnerability is not listed in CISA’s KEV catalog, suggesting it has limited currently observed exploitation. The likely attack vector is a logged‑in user performing a standard AJAX request from the site’s client side, making it straightforward to exploit in a typical WordPress environment.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

techlabpro1

Classified Listing – AI-Powered Classified ads & Business Directory

unaffected

Version	Status	Constraints
`0`	affected	≤ 5.4.2

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Classified Listing plugin to a version newer than 5.4.2, which removes the unauthorized AJAX endpoint.
If an upgrade is not immediately possible, disable or delete the affected AJAX actions in the plugin’s code to prevent the capability checks from being bypassed.
Configure the remaining AJAX handlers to require Administrator privileges only, or explicitly verify listing ownership before accepting featured image changes.
Ensure all nonces used in AJAX calls are generated per request and verified on the server side, preventing reuse of stale tokens by attackers.

Generated by OpenCVE AI on June 19, 2026 at 05:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/classified-listing/tags/5.3.8/app/Controllers/Ajax/FormBuilderAjax.php#L590
https://plugins.trac.wordpress.org/browser/classified-listing/tags/5.3.8/app/Controllers/Ajax/FormBuilderAjax.php#L605
https://plugins.trac.wordpress.org/browser/classified-listing/tags/5.3.8/app/Controllers/Ajax/FormBuilderAjax.php#L617
https://plugins.trac.wordpress.org/browser/classified-listing/tags/5.4.2/app/Controllers/Ajax/FormBuilderAjax.php#L590
https://plugins.trac.wordpress.org/browser/classified-listing/tags/5.4.2/app/Controllers/Ajax/FormBuilderAjax.php#L605
https://plugins.trac.wordpress.org/browser/classified-listing/tags/5.4.2/app/Controllers/Ajax/FormBuilderAjax.php#L617
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3571741%40classified-listing&new=3571741%40classified-listing&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/5f7660ba-c3be-44f0-91cb-809d0021759a?source=cve

History

Fri, 19 Jun 2026 04:30:00 +0000

Type	Values Removed	Values Added
Description		The Classified Listing – Classified ads & Business Directory plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.4.2. This is due to a missing capability/ownership check on the gallery_image_update_as_feature AJAX handler (action: rtcl_fb_gallery_image_update_as_feature), which accepts a user-supplied listing ID and attachment ID and sets the featured image of a listing while only validating a nonce that is exposed to any logged-in user on the frontend listing-submission form. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the featured image of arbitrary listings they do not own.
Title		Classified Listing <= 5.4.2 - Missing Authorization to Authenticated (Subscriber+) Feature Modification via Multiple AJAX Handlers ('listingId'/'id' Parameters)
Weaknesses		CWE-862
References		https://plugins.trac.wordpress.org/browser/classified-listing/tags/5.3.8/app/Controllers/Ajax/FormBuilderAjax.php#L590 https://plugins.trac.wordpress.org/browser/classified-listing/tags/5.3.8/app/Controllers/Ajax/FormBuilderAjax.php#L605 https://plugins.trac.wordpress.org/browser/classified-listing/tags/5.3.8/app/Controllers/Ajax/FormBuilderAjax.php#L617 https://plugins.trac.wordpress.org/browser/classified-listing/tags/5.4.2/app/Controllers/Ajax/FormBuilderAjax.php#L590 https://plugins.trac.wordpress.org/browser/classified-listing/tags/5.4.2/app/Controllers/Ajax/FormBuilderAjax.php#L605 https://plugins.trac.wordpress.org/browser/classified-listing/tags/5.4.2/app/Controllers/Ajax/FormBuilderAjax.php#L617 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3571741%40classified-listing&new=3571741%40classified-listing&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/5f7660ba-c3be-44f0-91cb-809d0021759a?source=cve
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-06-19T03:41:58.826Z

Updated: 2026-06-19T03:41:58.826Z

Reserved: 2026-06-03T15:59:20.530Z

Link: CVE-2026-10779

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-19T05:30:15Z

Weaknesses

CWE-862
Missing Authorization

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object