Description
The Classified Listing – AI-Powered Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 5.3.10. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to add arbitrary notes to any order and trigger unsolicited notification and moderation emails to listing owners without administrative authorization.
Published: 2026-05-15
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Classified Listing plugin for WordPress fails to verify that a user has the necessary permissions before executing certain AJAX actions. The flaw allows authenticated users with subscriber-level or higher privileges to add arbitrary notes to any order and to trigger unsolicited notification and moderation emails to listing owners without administrative approval. This lack of proper authorization leads to unauthorized data modification and potential information disclosure through email notifications.

Affected Systems

WordPress sites running techlabpro1 Classified Listing – AI-Powered Classified ads & Business Directory Plugin versions up to and including 5.3.10 are susceptible. The vulnerability is present across all prior releases and is mitigated only in future versions beyond 5.3.10.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate impact, and the EPSS score is not available, suggesting limited public exploitation data. The issue is not listed in CISA KEV. Attackers need only an authenticated account with subscriber or higher role to exploit the flaw, making the attack path relatively straightforward for sites that have granted broader access to non-administrative users.

Generated by OpenCVE AI on May 15, 2026 at 10:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Classified Listing plugin to a version later than 5.3.10, preferably the latest stable release to receive the authorization fix.
  • If an immediate update is not feasible, restrict or remove the add_order_note and send_email_to_user_by_moderator AJAX actions for subscriber-level users, for instance by disabling related shortcodes or hooks via a custom snippet or plugin configuration.
  • Implement role-based access checks in the plugin or by using a security plugin that blocks unauthorized AJAX calls for non-administrative roles.

Generated by OpenCVE AI on May 15, 2026 at 10:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://plugins.trac.wordpress.org/browser/classified-listing/tags/5.3.10/app/Controllers/Admin/ScriptLoader.php#L672 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/classified-listing/tags/5.3.10/app/Controllers/Ajax/ListingAdminAjax.php#L48 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/classified-listing/tags/5.3.10/app/Controllers/Hooks/Comments.php#L51 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/classified-listing/tags/5.3.10/app/Controllers/Hooks/Comments.php#L63 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/classified-listing/tags/5.3.7/app/Controllers/Admin/ScriptLoader.php#L672 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/classified-listing/tags/5.3.7/app/Controllers/Ajax/ListingAdminAjax.php#L48 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/classified-listing/tags/5.3.7/app/Controllers/Hooks/Comments.php#L51 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/classified-listing/tags/5.3.7/app/Controllers/Hooks/Comments.php#L63 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/classified-listing/trunk/app/Controllers/Admin/ScriptLoader.php#L672 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/classified-listing/trunk/app/Controllers/Ajax/ListingAdminAjax.php#L48 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/classified-listing/trunk/app/Controllers/Hooks/Comments.php#L51 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/classified-listing/trunk/app/Controllers/Hooks/Comments.php#L63 cve-icon cve-icon
https://plugins.trac.wordpress.org/changeset/3527717/ cve-icon cve-icon
https://www.wordfence.com/threat-intel/vulnerabilities/id/07cb3d57-d768-49a5-8af0-9dc4384487d5?source=cve cve-icon cve-icon
History

Fri, 15 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description The Classified Listing – AI-Powered Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 5.3.10. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to add arbitrary notes to any order and trigger unsolicited notification and moderation emails to listing owners without administrative authorization.
Title Classified Listing <= 5.3.10 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via add_order_note and send_email_to_user_by_moderator AJAX Actions
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-15T13:26:23.265Z

Reserved: 2026-04-30T20:15:37.502Z

Link: CVE-2026-7563

cve-icon Vulnrichment

Updated: 2026-05-15T13:26:18.485Z

cve-icon NVD

Status : Deferred

Published: 2026-05-15T09:16:17.510

Modified: 2026-05-15T14:09:15.910

Link: CVE-2026-7563

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T11:00:10Z

Weaknesses