CVE-2024-32085 in Citadela Listing Plugininfo

Summary

by MITRE • 04/15/2024

Cross-Site Request Forgery (CSRF) vulnerability in AitThemes Citadela Listing.This issue affects Citadela Listing: from n/a through 5.18.1.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 04/06/2025

The CVE-2024-32085 vulnerability represents a critical cross-site request forgery flaw within the AitThemes Citadela Listing WordPress plugin, which impacts versions ranging from unspecified initial releases through 5.18.1. This vulnerability resides in the plugin's handling of user requests and authentication mechanisms, creating a significant security risk for WordPress sites utilizing this listing management solution. The flaw allows malicious actors to trick authenticated users into performing unintended actions on the affected website without their knowledge or consent, potentially leading to unauthorized modifications or data manipulation.

This CSRF vulnerability stems from the absence of proper anti-forgery tokens or validation mechanisms in the plugin's administrative interfaces and form submissions. When users access the Citadela Listing admin panel or interact with specific plugin features, the system fails to verify that requests originate from legitimate sources within the same session. The technical implementation lacks robust session validation and request origin checking, making it susceptible to exploitation through carefully crafted malicious requests that can be triggered when users visit compromised websites or click on malicious links. According to CWE-352, this vulnerability directly maps to Cross-Site Request Forgery, a well-documented weakness in web application security that enables attackers to perform actions on behalf of authenticated users.

The operational impact of this vulnerability extends beyond simple data modification, potentially allowing attackers to execute administrative functions within the Citadela Listing plugin. An attacker could leverage this flaw to add new listings, modify existing entries, delete content, or potentially escalate privileges if the plugin's administrative functions provide broader system access. The vulnerability affects WordPress sites that rely on the Citadela Listing plugin for directory management, business listings, or similar content types, creating widespread risk across various business sectors including real estate, local services, and professional directories. The attack vector typically involves social engineering tactics where users are directed to malicious websites or pages containing crafted requests that exploit the CSRF vulnerability when the user is authenticated to the target site.

Mitigation strategies for this CSRF vulnerability should prioritize immediate plugin updates to version 5.18.2 or later, which contains the necessary patches to address the authentication validation gaps. System administrators should also implement additional protective measures including the enforcement of Content Security Policy headers, regular security audits of WordPress plugins, and monitoring for unauthorized administrative activities. Organizations using the Citadela Listing plugin should conduct thorough vulnerability assessments to identify any potential exploitation attempts and ensure that all user sessions are properly validated through anti-forgery token implementation. The ATT&CK framework categorizes this vulnerability under T1531, Credential Access, as it enables unauthorized access to administrative functions through session manipulation. Additionally, implementing proper input validation, session management, and request origin verification would align with security best practices and help prevent similar vulnerabilities in future deployments.

Responsible

Patchstack

Reservation

04/10/2024

Disclosure

04/15/2024

Moderation

accepted

CPE

ready

EPSS

0.00209

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!