Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Mamunur Rashid Classified Listing allows Path Traversal.

This issue affects Classified Listing: from n/a through 5.3.8.
Published: 2026-06-01
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Mamunur Rashid Classified Listing WordPress plugin contains a path traversal flaw (CWE‑22) that allows an attacker to retrieve arbitrary files from the web server through the plugin’s download endpoint. This flaw can expose configuration files, user data, or other sensitive content located outside the intended directory, thereby compromising confidentiality and integrity. The advisory rates the issue as a medium severity vulnerability, reflected in its CVSS score of 6.5, and does not indicate an availability impact.

Affected Systems

This vulnerability affects all releases of the plugin from its initial unversioned build up to and including version 5.3.8. The affected product is the Mamunur Rashid Classified Listing WordPress plugin, a third‑party extension that adds classified‑listing functionality to WordPress sites. No additional vendor or product information is listed beyond the plugin itself.

Risk and Exploitability

An attacker can exploit the flaw by delivering specially crafted HTTP requests containing directory traversal sequences to the download URL. Based on the description, it is inferred that authentication is not required, so the path traversal is likely exploitable by unauthenticated users through normal web traffic. The EPSS score is not available, making the exact exploitation likelihood uncertain; however, the medium CVSS rating suggests a meaningful threat level. The vulnerability is not listed in CISA’s KEV catalog.

Generated by OpenCVE AI on June 1, 2026 at 20:05 UTC.

Remediation

Vendor Solution

Update the WordPress Classified Listing Plugin to the latest available version (at least 5.3.9).

OpenCVE Recommended Actions

  • Update the Classified Listing plugin to version 5.3.9 or later to eliminate the path traversal flaw.
  • If an immediate update is not possible, disable or remove the plugin’s file‑download feature, or uninstall the plugin entirely, to block the vulnerable endpoint.
  • Deploy a web application firewall or configure server access controls to filter out requests that contain directory traversal patterns before they reach the plugin.

Generated by OpenCVE AI on June 1, 2026 at 20:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Mamunur Rashid Classified Listing allows Path Traversal. This issue affects Classified Listing: from n/a through 5.3.8.
Title WordPress Classified Listing plugin <= 5.3.8 - Arbitrary File Download vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-01T17:08:04.612Z

Reserved: 2026-04-29T09:04:56.881Z

Link: CVE-2026-42679

cve-icon Vulnrichment

Updated: 2026-06-01T17:07:59.052Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T17:17:00.550

Modified: 2026-06-01T17:57:16.380

Link: CVE-2026-42679

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T20:15:36Z

Weaknesses