Themes Vulnerabilities

ListingPro < 2.9.5 - Cross-Site Request Forgery to Account Takeover

Description

The theme is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to takeover user accounts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Themes

listingpro
Fixed in 2.9.5

References

CVE
CVE-2024-39623
URL
https://patchstack.com/database/vulnerability/listingpro/wordpress-listingpro-theme-2-9-3-cross-site-request-forgery-csrf-to-account-takeover-vulnerability

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
0cb08924-b175-4faa-ac55-d988fc70d73e

Timeline

Publicly Published
2024-07-22 (about 1 year ago)
Added
2024-08-01 (about 1 year ago)
Last Updated
2024-11-15 (about 1 year ago)

Other

Published
Title
Published
2023-01-04
Title
FL3R FeelBox <= 8.1 - Settings Update via CSRF to Stored XSS
Published
2025-03-24
Title
Typekit plugin for WordPress <= 1.2.3 - Cross-Site Request Forgery
Published
2025-08-25
Title
Savyour Affiliate Partner <= 2.1.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-12-11
Title
RTL Tester <= 1.2 - Cross-Site Request Forgery
Published
2025-04-11
Title
Listings for Buildium < 0.1.6 - Stored XSS via CSRF