The vulnerability is an unauthenticated broken access control flaw in the Classified Listing WordPress plugin versions up to 5.3.8. It allows an attacker, without needing user credentials, to perform privileged actions usually reserved for administrators of the plugin. The high level impact includes the potential for data disclosure, modification, or deletion of listings managed by the plugin, as well as possible tampering with configuration settings that could extend an attacker’s control over the site. This weakness is identified as CWE‑862, which denotes inadequate enforcement of access controls. The description in the CVE entry specifies only that the flaw exists; the precise extent of damage depends on the configuration of the site’s WordPress installation, including the level of access any exposed administrative interface grants.

The affected system is the WordPress Classified Listing plugin developed by Mamunur Rashid. Versions up to and including 5.3.8 are vulnerable. Users running any of those releases on a WordPress installation with that plugin installed are at risk. No other versions are listed as affected in the current CVE data.

The CVSS score of 6.5 indicates a moderate severity. The EPSS score of less than 1% suggests a low likelihood of exploitation, and the vulnerability is not yet listed in the CISA KEV catalog. Based on the fact that the flaw permits unauthenticated access, the likely attack vector is over the web, through HTTP requests to the plugin’s administrative endpoints. An attacker could exploit the weakness by sending crafted requests to those endpoints, bypassing any checks that normally restrict access to authenticated users. Since the flaw is not tied to any specific PHP or configuration error disclosed in the description, it is inferred that the plugin’s access control checks are simply missing or incorrectly applied, allowing an arbitrary attacker to reach privileged functions without authentication.