CVE-2024-1315 in Classified Listing Plugininfo

Summary

by MITRE • 04/09/2024

The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.4. This is due to missing or incorrect nonce validation on the 'rtcl_update_user_account' function. This makes it possible for unauthenticated attackers to change the administrator user's password and email address via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This locks the administrator out of the site and prevents them from resetting their password, while granting the attacker access to their account.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 04/14/2026

The Classified Listing plugin for WordPress represents a widely used business directory solution that enables users to create classified advertisements and manage business listings. This particular vulnerability affects all versions up to and including 3.0.4, making it a significant concern for WordPress administrators who rely on this plugin for their website operations. The plugin's functionality extends to user account management, including the ability to update user information such as passwords and email addresses, which creates a critical attack surface when proper security controls are absent.

The technical flaw stems from the absence of proper nonce validation within the rtcl_update_user_account function, which serves as the core mechanism for updating user account details. Nonces represent time-based tokens that verify the authenticity of requests and prevent unauthorized modifications to user accounts. Without these validation checks, attackers can craft malicious requests that appear legitimate to the WordPress system. This vulnerability specifically targets the CSRF protection mechanisms that should prevent unauthorized actions from being executed on behalf of authenticated users.

The operational impact of this vulnerability extends beyond simple privilege escalation, creating a scenario where administrators become locked out of their own systems. When an attacker successfully modifies an administrator's password and email address, they effectively gain complete control over the WordPress installation while simultaneously preventing legitimate administrators from accessing their accounts. This creates a persistent security breach that can remain undetected for extended periods, as the administrator's inability to log in or reset their password becomes the primary indicator of compromise.

The attack vector requires social engineering elements to be effective, as attackers must trick administrators into clicking malicious links or visiting compromised websites that contain the forged requests. This makes the vulnerability particularly dangerous because it leverages human factors alongside technical weaknesses. The attacker's success depends on convincing a trusted administrator to perform actions that would normally be protected by proper authentication and authorization controls. This approach aligns with the ATT&CK framework's privilege escalation techniques and demonstrates how CSRF vulnerabilities can be exploited to achieve persistent access to critical systems.

Organizations should immediately update to the latest version of the Classified Listing plugin to address this vulnerability, as no patches were available for versions prior to the fix. The recommended mitigation strategy includes implementing proper nonce validation throughout the plugin's codebase, particularly for all user account modification functions. Additionally, administrators should consider implementing additional security measures such as two-factor authentication, regular security audits, and monitoring for unauthorized account changes. This vulnerability exemplifies the importance of maintaining current software versions and the critical need for proper input validation in web applications. The CWE classification for this vulnerability would fall under CWE-352, which specifically addresses Cross-Site Request Forgery, highlighting the fundamental security principle that all state-changing operations must be protected against unauthorized requests.

Responsible

Wordfence

Reservation

02/07/2024

Disclosure

04/09/2024

Moderation

accepted

CPE

ready

EPSS

0.00456

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!