WordPress Plugin Vulnerabilities

Classified Listing – AI-Powered Classified ads & Business Directory Plugin < 5.3.9 - Missing Authorization

Description

The Classified Listing – AI-Powered Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 5.3.8. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Affects Plugins

Plugin icon
classified-listing
Fixed in 5.3.9

References

CVE
CVE-2026-42640
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/cbb25a81-a92b-4773-9194-9aa355750817

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Cruzer
Verified
No
WPVDB ID
24f467e3-defd-43d8-8b1a-416862d17158

Timeline

Publicly Published
2026-04-29 (about 15 days ago)
Added
2026-05-04 (about 9 days ago)
Last Updated
2026-05-04 (about 9 days ago)

Other

Published
Title
Published
2022-07-11
Title
YaySMTP < 2.2.1 - Subscriber+ SMTP Credentials Leak
Published
2025-10-23
Title
ZoloBlocks < 2.3.12 - Missing Authorization to Unauthenticated Popup Enable/Disable
Published
2025-11-24
Title
Autochat Automatic Conversation <= 1.1.9 - Missing Authorization to Unauthenticated Settings Update
Published
2025-11-24
Title
Ace Post Type Builder < 2.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Custom Taxonomy Deletion via 'taxonomy' Parameter
Published
2024-02-02
Title
BEAR < 1.1.4.1 - Missing Authorization via Several Functions