WordPress Plugin Vulnerabilities

Classified Listing – Classified ads & Business Directory Plugin < 3.0.11 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Attachment Deletion

Description

The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the rtcl_fb_gallery_image_delete AJAX action in all versions up to, and including, 3.0.10.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary attachements.

Affects Plugins

Plugin icon
classified-listing
Fixed in 3.0.11

References

CVE
CVE-2024-3893
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/e7113b1c-78dc-4648-b14a-52ff6668fd1d

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
3dd3bd71-f1e8-4d94-bd6b-6ec5d8f71232

Timeline

Publicly Published
2024-04-24 (about 2 years ago)
Added
2024-04-24 (about 2 years ago)
Last Updated
2024-04-24 (about 2 years ago)

Other

Published
Title
Published
2024-04-05
Title
MP3 Audio Player for Music, Radio & Podcast by Sonaar < 5.0 - Unauthenticated Arbitrary File Download
Published
2024-04-05
Title
Image Watermark < 1.7.4 - Missing Authorization to Authenticated (Subscriber+) Watermark Modification
Published
2026-02-17
Title
EventPrime < 4.2.8.5 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Event Modification via 'event_id' Parameter
Published
2025-10-28
Title
Anti-Malware Security and Brute-Force Firewall < 4.23.83 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Read
Published
2025-02-03
Title
RapidLoad < 2.4.5 - Missing Authorization