CVE-2024-1352 in Classified Listing Plugin
Summary
by MITRE • 04/09/2024
The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access & modification of data due to a missing capability check on the rtcl_import_location() rtcl_import_category() functions in all versions up to, and including, 3.0.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to create terms.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/14/2026
The vulnerability identified as CVE-2024-1352 affects the Classified Listing plugin for WordPress, specifically targeting versions up to and including 3.0.4. This plugin facilitates classified ads and business directory functionality within WordPress environments, making it a potentially attractive target for malicious actors seeking to exploit weaknesses in listing management systems. The vulnerability stems from inadequate access control mechanisms within the plugin's codebase, creating a pathway for unauthorized data manipulation.
The technical flaw manifests in the rtcl_import_location() and rtcl_import_category() functions which lack proper capability checks. These functions are designed to handle the import of location and category data but fail to verify whether the requesting user possesses appropriate authorization levels. This missing validation creates a privilege escalation opportunity where users with subscriber-level access or higher can execute these functions without proper authorization. The vulnerability specifically allows authenticated attackers to create terms within the plugin's taxonomy systems, effectively bypassing intended security controls that should restrict such operations to administrators or privileged users.
The operational impact of this vulnerability extends beyond simple data modification capabilities. Attackers with subscriber-level access can manipulate the classification systems that govern how listings are organized and displayed, potentially affecting search functionality, category hierarchies, and overall directory structure. This unauthorized access can lead to data corruption, information disclosure, and disruption of legitimate business operations. The vulnerability is particularly concerning because it leverages existing user accounts rather than requiring additional authentication mechanisms, making it more difficult to detect and prevent.
From a cybersecurity perspective, this vulnerability aligns with CWE-284, which addresses improper access control, and represents a clear violation of the principle of least privilege. The ATT&CK framework categorizes this as a privilege escalation technique where attackers leverage existing credentials to gain elevated access rights. The affected plugin's functionality makes it particularly susceptible to abuse as it provides direct interfaces for creating and modifying taxonomy terms that are fundamental to content organization. Organizations using this plugin face risks including potential data manipulation, service disruption, and possible escalation to full system compromise if attackers can leverage this access to perform additional malicious activities.
The recommended mitigations include immediate plugin updates to versions that address the capability check deficiencies, implementation of role-based access controls that limit term creation to authorized administrators only, and regular security audits of WordPress plugins to identify similar access control vulnerabilities. Additionally, organizations should implement monitoring solutions that track term creation activities and establish incident response procedures to address potential exploitation attempts. The vulnerability underscores the critical importance of proper access control implementation in web applications and the necessity of regular security assessments to identify and remediate such weaknesses before they can be exploited by malicious actors.