Search

Find a vulnerability

Search criteria

    16 vulnerabilities found for classified_listing by radiustheme

    CVE-2025-1063 (GCVE-0-2025-1063)

    Vulnerability from nvd – Published: 2025-02-25 06:58 – Updated: 2026-04-08 17:30
    VLAI
    Title
    Classified Listing – Classified ads & Business Directory Plugin <= 4.0.4 - Unauthenticated Settings Exposure
    Summary
    The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.4 via the rtcl_taxonomy_settings_export function. This makes it possible for unauthenticated attackers to extract sensitive data including API keys and tokens.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Credits
    wesley
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-1063",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-25T14:32:32.605702Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-25T14:37:36.278Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Classified Listing \u2013 AI-Powered Classified ads \u0026 Business Directory Plugin",
              "vendor": "techlabpro1",
              "versions": [
                {
                  "lessThanOrEqual": "4.0.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "wesley"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Classified Listing \u2013 Classified ads \u0026 Business Directory Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.4 via the rtcl_taxonomy_settings_export function. This makes it possible for unauthenticated attackers to extract sensitive data including API keys and tokens."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:30:16.994Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e701b771-59f2-4783-b0a1-bea4d6c3d245?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3241883/classified-listing"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-02-05T00:00:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2025-02-24T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Classified Listing \u2013 Classified ads \u0026 Business Directory Plugin \u003c= 4.0.4 - Unauthenticated Settings Exposure"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-1063",
        "datePublished": "2025-02-25T06:58:31.877Z",
        "dateReserved": "2025-02-05T17:42:57.217Z",
        "dateUpdated": "2026-04-08T17:30:16.994Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-7888 (GCVE-0-2024-7888)

    Vulnerability from nvd – Published: 2024-09-13 06:47 – Updated: 2026-04-08 16:50
    VLAI
    Title
    Classified Listing – Classified ads & Business Directory Plugin <= 3.1.7 - Missing Authorization
    Summary
    The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions like export_forms(), import_forms(), update_fb_options(), and many more in all versions up to, and including, 3.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify forms and various other settings.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    Lucio Sá
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-7888",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-13T13:39:35.703881Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-13T13:39:49.847Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Classified Listing \u2013 AI-Powered Classified ads \u0026 Business Directory Plugin",
              "vendor": "techlabpro1",
              "versions": [
                {
                  "lessThanOrEqual": "3.1.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Lucio S\u00e1"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Classified Listing \u2013 Classified ads \u0026 Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions like export_forms(), import_forms(), update_fb_options(), and many more in all versions up to, and including, 3.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify forms and various other settings."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:50:27.216Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/494d2e69-0759-419a-a603-e8870c157e49?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/classified-listing/tags/3.1.6/app/Controllers/Ajax/FormBuilderAdminAjax.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3150743/classified-listing/trunk/app/Controllers/Ajax/FormBuilderAdminAjax.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-09-12T18:35:01.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Classified Listing \u2013 Classified ads \u0026 Business Directory Plugin \u003c= 3.1.7 - Missing Authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-7888",
        "datePublished": "2024-09-13T06:47:26.961Z",
        "dateReserved": "2024-08-16T16:01:37.031Z",
        "dateUpdated": "2026-04-08T16:50:27.216Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-3893 (GCVE-0-2024-3893)

    Vulnerability from nvd – Published: 2024-04-25 07:33 – Updated: 2026-04-08 17:30
    VLAI
    Title
    Classified Listing – Classified ads & Business Directory Plugin <= 3.0.10.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Attachment Deletion
    Summary
    The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the rtcl_fb_gallery_image_delete AJAX action in all versions up to, and including, 3.0.10.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary attachements.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    techlabpro1 Classified Listing – AI-Powered Classified ads & Business Directory Plugin Affected: 0 , ≤ 3.0.10.3 (semver)
    Create a notification for this product.
    techlabpro1 classified_listing_plugin Affected: *
        cpe:2.3:a:techlabpro1:classified_listing_plugin:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Lucio Sá
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:techlabpro1:classified_listing_plugin:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "classified_listing_plugin",
                "vendor": "techlabpro1",
                "versions": [
                  {
                    "status": "affected",
                    "version": "*"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-3893",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-04-25T16:26:27.283994Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-862",
                    "description": "CWE-862 Missing Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:31:45.354Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:26:57.110Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e7113b1c-78dc-4648-b14a-52ff6668fd1d?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3073754/classified-listing/trunk/app/Controllers/Ajax/FormBuilderAjax.php"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Classified Listing \u2013 AI-Powered Classified ads \u0026 Business Directory Plugin",
              "vendor": "techlabpro1",
              "versions": [
                {
                  "lessThanOrEqual": "3.0.10.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Lucio S\u00e1"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Classified Listing \u2013 Classified ads \u0026 Business Directory Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the rtcl_fb_gallery_image_delete AJAX action in all versions up to, and including, 3.0.10.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary attachements."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:30:17.705Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e7113b1c-78dc-4648-b14a-52ff6668fd1d?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3073754/classified-listing/trunk/app/Controllers/Ajax/FormBuilderAjax.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-04-24T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Classified Listing \u2013 Classified ads \u0026 Business Directory Plugin \u003c= 3.0.10.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Attachment Deletion"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-3893",
        "datePublished": "2024-04-25T07:33:59.902Z",
        "dateReserved": "2024-04-16T17:36:20.477Z",
        "dateUpdated": "2026-04-08T17:30:17.705Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-1352 (GCVE-0-2024-1352)

    Vulnerability from nvd – Published: 2024-04-09 18:59 – Updated: 2026-04-08 17:33
    VLAI
    Title
    Classified Listing – Classified ads & Business Directory Plugin <= 3.0.4 - Missing Authorization
    Summary
    The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access & modification of data due to a missing capability check on the rtcl_import_location() rtcl_import_category() functions in all versions up to, and including, 3.0.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to create terms.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    techlabpro1 Classified Listing – AI-Powered Classified ads & Business Directory Plugin Affected: 0 , ≤ 3.0.4 (semver)
    Create a notification for this product.
    techlabpro1 classified_listing_plugin Affected: 0 , ≤ 3.0.4 (semver)
        cpe:2.3:a:techlabpro1:classified_listing_plugin:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Francesco Carlucci
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T18:33:25.618Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f5da4cdd-15c7-41a6-be2f-e31bd407ae05?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/classified-listing/trunk/app/Controllers/Ajax/Import.php?rev=2824166"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/classified-listing/trunk/app/Controllers/Ajax/Import.php?rev=3061893"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:techlabpro1:classified_listing_plugin:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "classified_listing_plugin",
                "vendor": "techlabpro1",
                "versions": [
                  {
                    "lessThanOrEqual": "3.0.4",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-1352",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-04-10T19:07:33.299678Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-08T19:18:16.659Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Classified Listing \u2013 AI-Powered Classified ads \u0026 Business Directory Plugin",
              "vendor": "techlabpro1",
              "versions": [
                {
                  "lessThanOrEqual": "3.0.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Francesco Carlucci"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Classified Listing \u2013 Classified ads \u0026 Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access \u0026 modification of data due to a missing capability check on the rtcl_import_location() rtcl_import_category() functions in all versions up to, and including, 3.0.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to create terms."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:33:25.030Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f5da4cdd-15c7-41a6-be2f-e31bd407ae05?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/classified-listing/trunk/app/Controllers/Ajax/Import.php?rev=2824166"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/classified-listing/trunk/app/Controllers/Ajax/Import.php?rev=3061893"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-04-04T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Classified Listing \u2013 Classified ads \u0026 Business Directory Plugin \u003c= 3.0.4 - Missing Authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-1352",
        "datePublished": "2024-04-09T18:59:33.826Z",
        "dateReserved": "2024-02-08T17:54:27.266Z",
        "dateUpdated": "2026-04-08T17:33:25.030Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-1315 (GCVE-0-2024-1315)

    Vulnerability from nvd – Published: 2024-04-09 18:58 – Updated: 2026-04-08 16:53
    VLAI
    Title
    Classified Listing <= 3.0.4 - Cross-Site Request Forgery to Account Takeover via rtcl_update_user_account
    Summary
    The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.4. This is due to missing or incorrect nonce validation on the 'rtcl_update_user_account' function. This makes it possible for unauthenticated attackers to change the administrator user's password and email address via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This locks the administrator out of the site and prevents them from resetting their password, while granting the attacker access to their account.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    Impacted products
    Credits
    Francesco Carlucci
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-1315",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-08T15:58:12.303907Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T18:00:14.709Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T18:33:25.419Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5439651e-5557-4b13-813a-4fc0ad876104?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/classified-listing/tags/3.0.1/app/Controllers/Ajax/PublicUser.php#L445"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/classified-listing/tags/3.0.5/app/Controllers/Ajax/PublicUser.php#L445"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Classified Listing \u2013 AI-Powered Classified ads \u0026 Business Directory Plugin",
              "vendor": "techlabpro1",
              "versions": [
                {
                  "lessThanOrEqual": "3.0.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Francesco Carlucci"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Classified Listing \u2013 Classified ads \u0026 Business Directory Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.4. This is due to missing or incorrect nonce validation on the \u0027rtcl_update_user_account\u0027 function. This makes it possible for unauthenticated attackers to change the administrator user\u0027s password and email address via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This locks the administrator out of the site and prevents them from resetting their password, while granting the attacker access to their account."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:53:17.072Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5439651e-5557-4b13-813a-4fc0ad876104?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/classified-listing/tags/3.0.1/app/Controllers/Ajax/PublicUser.php#L445"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/classified-listing/tags/3.0.5/app/Controllers/Ajax/PublicUser.php#L445"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-04-04T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Classified Listing \u003c= 3.0.4 - Cross-Site Request Forgery to Account Takeover via rtcl_update_user_account"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-1315",
        "datePublished": "2024-04-09T18:58:48.332Z",
        "dateReserved": "2024-02-07T15:35:02.282Z",
        "dateUpdated": "2026-04-08T16:53:17.072Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-37387 (GCVE-0-2023-37387)

    Vulnerability from nvd – Published: 2023-07-18 12:14 – Updated: 2026-04-28 16:08
    VLAI
    Title
    WordPress Classified Listing Plugin <= 2.4.5 is vulnerable to Cross Site Request Forgery (CSRF)
    Summary
    Cross-Site Request Forgery (CSRF) vulnerability in RadiusTheme Classified Listing plugin <= 2.4.5 versions.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    RadiusTheme Classified Listing Affected: n/a , ≤ 2.4.5 (custom)
    Create a notification for this product.
    Credits
    Lana Codes (Patchstack Alliance)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T17:09:34.074Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_transferred"
                ],
                "url": "https://patchstack.com/database/vulnerability/classified-listing/wordpress-classified-listing-plugin-2-4-5-cross-site-request-forgery-csrf-leading-to-thumbnail-removal-vulnerability?_s_id=cve"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-37387",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-25T16:35:16.984070Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-25T17:01:58.603Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "classified-listing",
              "product": "Classified Listing",
              "vendor": "RadiusTheme",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "2.4.6",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "2.4.5",
                  "status": "affected",
                  "version": "n/a",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Lana Codes (Patchstack Alliance)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Cross-Site Request Forgery (CSRF) vulnerability in RadiusTheme Classified Listing plugin \u003c=\u003cspan style=\"background-color: var(--wht);\"\u003e\u00a02.4.5 versions.\u003c/span\u003e"
                }
              ],
              "value": "Cross-Site Request Forgery (CSRF) vulnerability in RadiusTheme Classified Listing plugin \u003c=\u00a02.4.5 versions."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-62",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-62 Cross Site Request Forgery"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:08:32.096Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/vulnerability/classified-listing/wordpress-classified-listing-plugin-2-4-5-cross-site-request-forgery-csrf-leading-to-thumbnail-removal-vulnerability?_s_id=cve"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to\u00a02.4.6 or a higher version."
                }
              ],
              "value": "Update to\u00a02.4.6 or a higher version."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WordPress Classified Listing Plugin \u003c= 2.4.5 is vulnerable to Cross Site Request Forgery (CSRF)",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2023-37387",
        "datePublished": "2023-07-18T12:14:15.680Z",
        "dateReserved": "2023-07-05T11:22:04.822Z",
        "dateUpdated": "2026-04-28T16:08:32.096Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-2655 (GCVE-0-2022-2655)

    Vulnerability from nvd – Published: 2022-09-16 08:40 – Updated: 2024-08-03 00:46
    VLAI
    Title
    Classified Listing Pro < 2.0.20 - Reflected Cross-Site Scripting
    Summary
    The Classified Listing Pro WordPress plugin before 2.0.20 does not escape a generated URL before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Cross-Site Scripting (XSS)
    Assigner
    References
    Impacted products
    Credits
    Team ISH Tecnologia (Thiago Martins Jorge Buzeti Leandro Inacio Lucas de Souza Matheus Oliveira Filipe Baptistella Leonardo Paiva Jose Thomaz Joao Maciel Vinicius Pereira Geovanni Campos Hudson Nowak Guilherme Acerbi) and Islan Ferreira.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:46:03.372Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/acc9675a-56f6-411a-9594-07144c2aad1b"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Classified Listing Pro - Classified ads \u0026 Business Directory Plugin",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.0.20",
                  "status": "affected",
                  "version": "2.0.20",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Team ISH Tecnologia (Thiago Martins"
            },
            {
              "lang": "en",
              "value": "Jorge Buzeti"
            },
            {
              "lang": "en",
              "value": "Leandro Inacio"
            },
            {
              "lang": "en",
              "value": "Lucas de Souza"
            },
            {
              "lang": "en",
              "value": "Matheus Oliveira"
            },
            {
              "lang": "en",
              "value": "Filipe Baptistella"
            },
            {
              "lang": "en",
              "value": "Leonardo Paiva"
            },
            {
              "lang": "en",
              "value": "Jose Thomaz"
            },
            {
              "lang": "en",
              "value": "Joao Maciel"
            },
            {
              "lang": "en",
              "value": "Vinicius Pereira"
            },
            {
              "lang": "en",
              "value": "Geovanni Campos"
            },
            {
              "lang": "en",
              "value": "Hudson Nowak"
            },
            {
              "lang": "en",
              "value": "Guilherme Acerbi) and Islan Ferreira."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Classified Listing Pro WordPress plugin before 2.0.20 does not escape a generated URL before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-Site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-09-16T08:40:31.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpscan.com/vulnerability/acc9675a-56f6-411a-9594-07144c2aad1b"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Classified Listing Pro \u003c 2.0.20 - Reflected Cross-Site Scripting",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2022-2655",
              "STATE": "PUBLIC",
              "TITLE": "Classified Listing Pro \u003c 2.0.20 - Reflected Cross-Site Scripting"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Classified Listing Pro - Classified ads \u0026 Business Directory Plugin",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "2.0.20",
                                "version_value": "2.0.20"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Unknown"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Team ISH Tecnologia (Thiago Martins"
              },
              {
                "lang": "eng",
                "value": "Jorge Buzeti"
              },
              {
                "lang": "eng",
                "value": "Leandro Inacio"
              },
              {
                "lang": "eng",
                "value": "Lucas de Souza"
              },
              {
                "lang": "eng",
                "value": "Matheus Oliveira"
              },
              {
                "lang": "eng",
                "value": "Filipe Baptistella"
              },
              {
                "lang": "eng",
                "value": "Leonardo Paiva"
              },
              {
                "lang": "eng",
                "value": "Jose Thomaz"
              },
              {
                "lang": "eng",
                "value": "Joao Maciel"
              },
              {
                "lang": "eng",
                "value": "Vinicius Pereira"
              },
              {
                "lang": "eng",
                "value": "Geovanni Campos"
              },
              {
                "lang": "eng",
                "value": "Hudson Nowak"
              },
              {
                "lang": "eng",
                "value": "Guilherme Acerbi) and Islan Ferreira."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The Classified Listing Pro WordPress plugin before 2.0.20 does not escape a generated URL before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting"
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Cross-Site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/acc9675a-56f6-411a-9594-07144c2aad1b",
                  "refsource": "MISC",
                  "url": "https://wpscan.com/vulnerability/acc9675a-56f6-411a-9594-07144c2aad1b"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2022-2655",
        "datePublished": "2022-09-16T08:40:31.000Z",
        "dateReserved": "2022-08-04T00:00:00.000Z",
        "dateUpdated": "2024-08-03T00:46:03.372Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-2654 (GCVE-0-2022-2654)

    Vulnerability from nvd – Published: 2022-09-16 08:40 – Updated: 2025-06-05 18:18
    VLAI
    Title
    Classima < 2.1.11 - Reflected Cross-Site Scripting
    Summary
    The Classima WordPress theme before 2.1.11 and some of its required plugins (Classified Listing before 2.2.14, Classified Listing Pro before 2.0.20, Classified Listing Store & Membership before 1.4.20 and Classima Core before 1.10) do not escape a parameter before outputting it back in attributes, leading to Reflected Cross-Site Scripting
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross-Site Scripting (XSS)
    Assigner
    References
    Credits
    Team ISH Tecnologia (Thiago Martins Jorge Buzeti Leandro Inacio Lucas de Souza Matheus Oliveira Filipe Baptistella Leonardo Paiva Jose Thomaz Joao Maciel Vinicius Pereira Geovanni Campos Hudson Nowak Guilherme Acerbi) and Islan Ferreira.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:46:03.475Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/845f44ca-f572-48d7-a19a-89cace0b8993"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.1,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-2654",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-03T18:27:00.689359Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-05T18:18:42.406Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Classified Listing \u2013 Classified ads \u0026 Business Directory Plugin",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.2.14",
                  "status": "affected",
                  "version": "2.2.14",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Classified Listing Pro - Classified ads \u0026 Business Directory Plugin",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.0.20",
                  "status": "affected",
                  "version": "2.0.20",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Classified Listing Store \u0026 Membership Addon",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "1.4.20",
                  "status": "affected",
                  "version": "1.4.20",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Classima Core",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "1.10",
                  "status": "affected",
                  "version": "1.10",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Classima",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.1.11",
                  "status": "affected",
                  "version": "2.1.11",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Team ISH Tecnologia (Thiago Martins"
            },
            {
              "lang": "en",
              "value": "Jorge Buzeti"
            },
            {
              "lang": "en",
              "value": "Leandro Inacio"
            },
            {
              "lang": "en",
              "value": "Lucas de Souza"
            },
            {
              "lang": "en",
              "value": "Matheus Oliveira"
            },
            {
              "lang": "en",
              "value": "Filipe Baptistella"
            },
            {
              "lang": "en",
              "value": "Leonardo Paiva"
            },
            {
              "lang": "en",
              "value": "Jose Thomaz"
            },
            {
              "lang": "en",
              "value": "Joao Maciel"
            },
            {
              "lang": "en",
              "value": "Vinicius Pereira"
            },
            {
              "lang": "en",
              "value": "Geovanni Campos"
            },
            {
              "lang": "en",
              "value": "Hudson Nowak"
            },
            {
              "lang": "en",
              "value": "Guilherme Acerbi) and Islan Ferreira."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Classima WordPress theme before 2.1.11 and some of its required plugins (Classified Listing before 2.2.14, Classified Listing Pro before 2.0.20, Classified Listing Store \u0026 Membership before 1.4.20 and Classima Core before 1.10) do not escape a parameter before outputting it back in attributes, leading to Reflected Cross-Site Scripting"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-Site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-09-16T08:40:31.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpscan.com/vulnerability/845f44ca-f572-48d7-a19a-89cace0b8993"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Classima \u003c 2.1.11 - Reflected Cross-Site Scripting",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2022-2654",
              "STATE": "PUBLIC",
              "TITLE": "Classima \u003c 2.1.11 - Reflected Cross-Site Scripting"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Classified Listing \u2013 Classified ads \u0026 Business Directory Plugin",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "2.2.14",
                                "version_value": "2.2.14"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Classified Listing Pro - Classified ads \u0026 Business Directory Plugin",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "2.0.20",
                                "version_value": "2.0.20"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Classified Listing Store \u0026 Membership Addon",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "1.4.20",
                                "version_value": "1.4.20"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Classima Core",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "1.10",
                                "version_value": "1.10"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Classima",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "2.1.11",
                                "version_value": "2.1.11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Unknown"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Team ISH Tecnologia (Thiago Martins"
              },
              {
                "lang": "eng",
                "value": "Jorge Buzeti"
              },
              {
                "lang": "eng",
                "value": "Leandro Inacio"
              },
              {
                "lang": "eng",
                "value": "Lucas de Souza"
              },
              {
                "lang": "eng",
                "value": "Matheus Oliveira"
              },
              {
                "lang": "eng",
                "value": "Filipe Baptistella"
              },
              {
                "lang": "eng",
                "value": "Leonardo Paiva"
              },
              {
                "lang": "eng",
                "value": "Jose Thomaz"
              },
              {
                "lang": "eng",
                "value": "Joao Maciel"
              },
              {
                "lang": "eng",
                "value": "Vinicius Pereira"
              },
              {
                "lang": "eng",
                "value": "Geovanni Campos"
              },
              {
                "lang": "eng",
                "value": "Hudson Nowak"
              },
              {
                "lang": "eng",
                "value": "Guilherme Acerbi) and Islan Ferreira."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The Classima WordPress theme before 2.1.11 and some of its required plugins (Classified Listing before 2.2.14, Classified Listing Pro before 2.0.20, Classified Listing Store \u0026 Membership before 1.4.20 and Classima Core before 1.10) do not escape a parameter before outputting it back in attributes, leading to Reflected Cross-Site Scripting"
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Cross-Site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/845f44ca-f572-48d7-a19a-89cace0b8993",
                  "refsource": "MISC",
                  "url": "https://wpscan.com/vulnerability/845f44ca-f572-48d7-a19a-89cace0b8993"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2022-2654",
        "datePublished": "2022-09-16T08:40:31.000Z",
        "dateReserved": "2022-08-04T00:00:00.000Z",
        "dateUpdated": "2025-06-05T18:18:42.406Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-1063 (GCVE-0-2025-1063)

    Vulnerability from cvelistv5 – Published: 2025-02-25 06:58 – Updated: 2026-04-08 17:30
    VLAI
    Title
    Classified Listing – Classified ads & Business Directory Plugin <= 4.0.4 - Unauthenticated Settings Exposure
    Summary
    The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.4 via the rtcl_taxonomy_settings_export function. This makes it possible for unauthenticated attackers to extract sensitive data including API keys and tokens.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Credits
    wesley
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-1063",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-25T14:32:32.605702Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-25T14:37:36.278Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Classified Listing \u2013 AI-Powered Classified ads \u0026 Business Directory Plugin",
              "vendor": "techlabpro1",
              "versions": [
                {
                  "lessThanOrEqual": "4.0.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "wesley"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Classified Listing \u2013 Classified ads \u0026 Business Directory Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.4 via the rtcl_taxonomy_settings_export function. This makes it possible for unauthenticated attackers to extract sensitive data including API keys and tokens."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:30:16.994Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e701b771-59f2-4783-b0a1-bea4d6c3d245?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3241883/classified-listing"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-02-05T00:00:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2025-02-24T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Classified Listing \u2013 Classified ads \u0026 Business Directory Plugin \u003c= 4.0.4 - Unauthenticated Settings Exposure"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-1063",
        "datePublished": "2025-02-25T06:58:31.877Z",
        "dateReserved": "2025-02-05T17:42:57.217Z",
        "dateUpdated": "2026-04-08T17:30:16.994Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-7888 (GCVE-0-2024-7888)

    Vulnerability from cvelistv5 – Published: 2024-09-13 06:47 – Updated: 2026-04-08 16:50
    VLAI
    Title
    Classified Listing – Classified ads & Business Directory Plugin <= 3.1.7 - Missing Authorization
    Summary
    The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions like export_forms(), import_forms(), update_fb_options(), and many more in all versions up to, and including, 3.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify forms and various other settings.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    Lucio Sá
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-7888",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-13T13:39:35.703881Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-13T13:39:49.847Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Classified Listing \u2013 AI-Powered Classified ads \u0026 Business Directory Plugin",
              "vendor": "techlabpro1",
              "versions": [
                {
                  "lessThanOrEqual": "3.1.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Lucio S\u00e1"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Classified Listing \u2013 Classified ads \u0026 Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions like export_forms(), import_forms(), update_fb_options(), and many more in all versions up to, and including, 3.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify forms and various other settings."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:50:27.216Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/494d2e69-0759-419a-a603-e8870c157e49?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/classified-listing/tags/3.1.6/app/Controllers/Ajax/FormBuilderAdminAjax.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3150743/classified-listing/trunk/app/Controllers/Ajax/FormBuilderAdminAjax.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-09-12T18:35:01.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Classified Listing \u2013 Classified ads \u0026 Business Directory Plugin \u003c= 3.1.7 - Missing Authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-7888",
        "datePublished": "2024-09-13T06:47:26.961Z",
        "dateReserved": "2024-08-16T16:01:37.031Z",
        "dateUpdated": "2026-04-08T16:50:27.216Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-3893 (GCVE-0-2024-3893)

    Vulnerability from cvelistv5 – Published: 2024-04-25 07:33 – Updated: 2026-04-08 17:30
    VLAI
    Title
    Classified Listing – Classified ads & Business Directory Plugin <= 3.0.10.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Attachment Deletion
    Summary
    The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the rtcl_fb_gallery_image_delete AJAX action in all versions up to, and including, 3.0.10.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary attachements.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    techlabpro1 Classified Listing – AI-Powered Classified ads & Business Directory Plugin Affected: 0 , ≤ 3.0.10.3 (semver)
    Create a notification for this product.
    techlabpro1 classified_listing_plugin Affected: *
        cpe:2.3:a:techlabpro1:classified_listing_plugin:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Lucio Sá
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:techlabpro1:classified_listing_plugin:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "classified_listing_plugin",
                "vendor": "techlabpro1",
                "versions": [
                  {
                    "status": "affected",
                    "version": "*"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-3893",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-04-25T16:26:27.283994Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-862",
                    "description": "CWE-862 Missing Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:31:45.354Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:26:57.110Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e7113b1c-78dc-4648-b14a-52ff6668fd1d?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3073754/classified-listing/trunk/app/Controllers/Ajax/FormBuilderAjax.php"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Classified Listing \u2013 AI-Powered Classified ads \u0026 Business Directory Plugin",
              "vendor": "techlabpro1",
              "versions": [
                {
                  "lessThanOrEqual": "3.0.10.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Lucio S\u00e1"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Classified Listing \u2013 Classified ads \u0026 Business Directory Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the rtcl_fb_gallery_image_delete AJAX action in all versions up to, and including, 3.0.10.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary attachements."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:30:17.705Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e7113b1c-78dc-4648-b14a-52ff6668fd1d?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3073754/classified-listing/trunk/app/Controllers/Ajax/FormBuilderAjax.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-04-24T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Classified Listing \u2013 Classified ads \u0026 Business Directory Plugin \u003c= 3.0.10.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Attachment Deletion"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-3893",
        "datePublished": "2024-04-25T07:33:59.902Z",
        "dateReserved": "2024-04-16T17:36:20.477Z",
        "dateUpdated": "2026-04-08T17:30:17.705Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-1352 (GCVE-0-2024-1352)

    Vulnerability from cvelistv5 – Published: 2024-04-09 18:59 – Updated: 2026-04-08 17:33
    VLAI
    Title
    Classified Listing – Classified ads & Business Directory Plugin <= 3.0.4 - Missing Authorization
    Summary
    The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access & modification of data due to a missing capability check on the rtcl_import_location() rtcl_import_category() functions in all versions up to, and including, 3.0.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to create terms.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    techlabpro1 Classified Listing – AI-Powered Classified ads & Business Directory Plugin Affected: 0 , ≤ 3.0.4 (semver)
    Create a notification for this product.
    techlabpro1 classified_listing_plugin Affected: 0 , ≤ 3.0.4 (semver)
        cpe:2.3:a:techlabpro1:classified_listing_plugin:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Francesco Carlucci
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T18:33:25.618Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f5da4cdd-15c7-41a6-be2f-e31bd407ae05?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/classified-listing/trunk/app/Controllers/Ajax/Import.php?rev=2824166"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/classified-listing/trunk/app/Controllers/Ajax/Import.php?rev=3061893"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:techlabpro1:classified_listing_plugin:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "classified_listing_plugin",
                "vendor": "techlabpro1",
                "versions": [
                  {
                    "lessThanOrEqual": "3.0.4",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-1352",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-04-10T19:07:33.299678Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-08T19:18:16.659Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Classified Listing \u2013 AI-Powered Classified ads \u0026 Business Directory Plugin",
              "vendor": "techlabpro1",
              "versions": [
                {
                  "lessThanOrEqual": "3.0.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Francesco Carlucci"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Classified Listing \u2013 Classified ads \u0026 Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access \u0026 modification of data due to a missing capability check on the rtcl_import_location() rtcl_import_category() functions in all versions up to, and including, 3.0.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to create terms."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:33:25.030Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f5da4cdd-15c7-41a6-be2f-e31bd407ae05?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/classified-listing/trunk/app/Controllers/Ajax/Import.php?rev=2824166"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/classified-listing/trunk/app/Controllers/Ajax/Import.php?rev=3061893"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-04-04T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Classified Listing \u2013 Classified ads \u0026 Business Directory Plugin \u003c= 3.0.4 - Missing Authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-1352",
        "datePublished": "2024-04-09T18:59:33.826Z",
        "dateReserved": "2024-02-08T17:54:27.266Z",
        "dateUpdated": "2026-04-08T17:33:25.030Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-1315 (GCVE-0-2024-1315)

    Vulnerability from cvelistv5 – Published: 2024-04-09 18:58 – Updated: 2026-04-08 16:53
    VLAI
    Title
    Classified Listing <= 3.0.4 - Cross-Site Request Forgery to Account Takeover via rtcl_update_user_account
    Summary
    The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.4. This is due to missing or incorrect nonce validation on the 'rtcl_update_user_account' function. This makes it possible for unauthenticated attackers to change the administrator user's password and email address via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This locks the administrator out of the site and prevents them from resetting their password, while granting the attacker access to their account.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    Impacted products
    Credits
    Francesco Carlucci
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-1315",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-08T15:58:12.303907Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T18:00:14.709Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T18:33:25.419Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5439651e-5557-4b13-813a-4fc0ad876104?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/classified-listing/tags/3.0.1/app/Controllers/Ajax/PublicUser.php#L445"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/classified-listing/tags/3.0.5/app/Controllers/Ajax/PublicUser.php#L445"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Classified Listing \u2013 AI-Powered Classified ads \u0026 Business Directory Plugin",
              "vendor": "techlabpro1",
              "versions": [
                {
                  "lessThanOrEqual": "3.0.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Francesco Carlucci"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Classified Listing \u2013 Classified ads \u0026 Business Directory Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.4. This is due to missing or incorrect nonce validation on the \u0027rtcl_update_user_account\u0027 function. This makes it possible for unauthenticated attackers to change the administrator user\u0027s password and email address via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This locks the administrator out of the site and prevents them from resetting their password, while granting the attacker access to their account."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:53:17.072Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5439651e-5557-4b13-813a-4fc0ad876104?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/classified-listing/tags/3.0.1/app/Controllers/Ajax/PublicUser.php#L445"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/classified-listing/tags/3.0.5/app/Controllers/Ajax/PublicUser.php#L445"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-04-04T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Classified Listing \u003c= 3.0.4 - Cross-Site Request Forgery to Account Takeover via rtcl_update_user_account"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-1315",
        "datePublished": "2024-04-09T18:58:48.332Z",
        "dateReserved": "2024-02-07T15:35:02.282Z",
        "dateUpdated": "2026-04-08T16:53:17.072Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-37387 (GCVE-0-2023-37387)

    Vulnerability from cvelistv5 – Published: 2023-07-18 12:14 – Updated: 2026-04-28 16:08
    VLAI
    Title
    WordPress Classified Listing Plugin <= 2.4.5 is vulnerable to Cross Site Request Forgery (CSRF)
    Summary
    Cross-Site Request Forgery (CSRF) vulnerability in RadiusTheme Classified Listing plugin <= 2.4.5 versions.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    RadiusTheme Classified Listing Affected: n/a , ≤ 2.4.5 (custom)
    Create a notification for this product.
    Credits
    Lana Codes (Patchstack Alliance)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T17:09:34.074Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_transferred"
                ],
                "url": "https://patchstack.com/database/vulnerability/classified-listing/wordpress-classified-listing-plugin-2-4-5-cross-site-request-forgery-csrf-leading-to-thumbnail-removal-vulnerability?_s_id=cve"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-37387",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-25T16:35:16.984070Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-25T17:01:58.603Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "classified-listing",
              "product": "Classified Listing",
              "vendor": "RadiusTheme",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "2.4.6",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "2.4.5",
                  "status": "affected",
                  "version": "n/a",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Lana Codes (Patchstack Alliance)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Cross-Site Request Forgery (CSRF) vulnerability in RadiusTheme Classified Listing plugin \u003c=\u003cspan style=\"background-color: var(--wht);\"\u003e\u00a02.4.5 versions.\u003c/span\u003e"
                }
              ],
              "value": "Cross-Site Request Forgery (CSRF) vulnerability in RadiusTheme Classified Listing plugin \u003c=\u00a02.4.5 versions."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-62",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-62 Cross Site Request Forgery"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:08:32.096Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/vulnerability/classified-listing/wordpress-classified-listing-plugin-2-4-5-cross-site-request-forgery-csrf-leading-to-thumbnail-removal-vulnerability?_s_id=cve"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to\u00a02.4.6 or a higher version."
                }
              ],
              "value": "Update to\u00a02.4.6 or a higher version."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WordPress Classified Listing Plugin \u003c= 2.4.5 is vulnerable to Cross Site Request Forgery (CSRF)",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2023-37387",
        "datePublished": "2023-07-18T12:14:15.680Z",
        "dateReserved": "2023-07-05T11:22:04.822Z",
        "dateUpdated": "2026-04-28T16:08:32.096Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-2654 (GCVE-0-2022-2654)

    Vulnerability from cvelistv5 – Published: 2022-09-16 08:40 – Updated: 2025-06-05 18:18
    VLAI
    Title
    Classima < 2.1.11 - Reflected Cross-Site Scripting
    Summary
    The Classima WordPress theme before 2.1.11 and some of its required plugins (Classified Listing before 2.2.14, Classified Listing Pro before 2.0.20, Classified Listing Store & Membership before 1.4.20 and Classima Core before 1.10) do not escape a parameter before outputting it back in attributes, leading to Reflected Cross-Site Scripting
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross-Site Scripting (XSS)
    Assigner
    References
    Credits
    Team ISH Tecnologia (Thiago Martins Jorge Buzeti Leandro Inacio Lucas de Souza Matheus Oliveira Filipe Baptistella Leonardo Paiva Jose Thomaz Joao Maciel Vinicius Pereira Geovanni Campos Hudson Nowak Guilherme Acerbi) and Islan Ferreira.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:46:03.475Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/845f44ca-f572-48d7-a19a-89cace0b8993"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.1,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-2654",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-03T18:27:00.689359Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-05T18:18:42.406Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Classified Listing \u2013 Classified ads \u0026 Business Directory Plugin",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.2.14",
                  "status": "affected",
                  "version": "2.2.14",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Classified Listing Pro - Classified ads \u0026 Business Directory Plugin",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.0.20",
                  "status": "affected",
                  "version": "2.0.20",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Classified Listing Store \u0026 Membership Addon",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "1.4.20",
                  "status": "affected",
                  "version": "1.4.20",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Classima Core",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "1.10",
                  "status": "affected",
                  "version": "1.10",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Classima",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.1.11",
                  "status": "affected",
                  "version": "2.1.11",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Team ISH Tecnologia (Thiago Martins"
            },
            {
              "lang": "en",
              "value": "Jorge Buzeti"
            },
            {
              "lang": "en",
              "value": "Leandro Inacio"
            },
            {
              "lang": "en",
              "value": "Lucas de Souza"
            },
            {
              "lang": "en",
              "value": "Matheus Oliveira"
            },
            {
              "lang": "en",
              "value": "Filipe Baptistella"
            },
            {
              "lang": "en",
              "value": "Leonardo Paiva"
            },
            {
              "lang": "en",
              "value": "Jose Thomaz"
            },
            {
              "lang": "en",
              "value": "Joao Maciel"
            },
            {
              "lang": "en",
              "value": "Vinicius Pereira"
            },
            {
              "lang": "en",
              "value": "Geovanni Campos"
            },
            {
              "lang": "en",
              "value": "Hudson Nowak"
            },
            {
              "lang": "en",
              "value": "Guilherme Acerbi) and Islan Ferreira."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Classima WordPress theme before 2.1.11 and some of its required plugins (Classified Listing before 2.2.14, Classified Listing Pro before 2.0.20, Classified Listing Store \u0026 Membership before 1.4.20 and Classima Core before 1.10) do not escape a parameter before outputting it back in attributes, leading to Reflected Cross-Site Scripting"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-Site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-09-16T08:40:31.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpscan.com/vulnerability/845f44ca-f572-48d7-a19a-89cace0b8993"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Classima \u003c 2.1.11 - Reflected Cross-Site Scripting",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2022-2654",
              "STATE": "PUBLIC",
              "TITLE": "Classima \u003c 2.1.11 - Reflected Cross-Site Scripting"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Classified Listing \u2013 Classified ads \u0026 Business Directory Plugin",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "2.2.14",
                                "version_value": "2.2.14"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Classified Listing Pro - Classified ads \u0026 Business Directory Plugin",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "2.0.20",
                                "version_value": "2.0.20"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Classified Listing Store \u0026 Membership Addon",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "1.4.20",
                                "version_value": "1.4.20"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Classima Core",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "1.10",
                                "version_value": "1.10"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Classima",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "2.1.11",
                                "version_value": "2.1.11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Unknown"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Team ISH Tecnologia (Thiago Martins"
              },
              {
                "lang": "eng",
                "value": "Jorge Buzeti"
              },
              {
                "lang": "eng",
                "value": "Leandro Inacio"
              },
              {
                "lang": "eng",
                "value": "Lucas de Souza"
              },
              {
                "lang": "eng",
                "value": "Matheus Oliveira"
              },
              {
                "lang": "eng",
                "value": "Filipe Baptistella"
              },
              {
                "lang": "eng",
                "value": "Leonardo Paiva"
              },
              {
                "lang": "eng",
                "value": "Jose Thomaz"
              },
              {
                "lang": "eng",
                "value": "Joao Maciel"
              },
              {
                "lang": "eng",
                "value": "Vinicius Pereira"
              },
              {
                "lang": "eng",
                "value": "Geovanni Campos"
              },
              {
                "lang": "eng",
                "value": "Hudson Nowak"
              },
              {
                "lang": "eng",
                "value": "Guilherme Acerbi) and Islan Ferreira."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The Classima WordPress theme before 2.1.11 and some of its required plugins (Classified Listing before 2.2.14, Classified Listing Pro before 2.0.20, Classified Listing Store \u0026 Membership before 1.4.20 and Classima Core before 1.10) do not escape a parameter before outputting it back in attributes, leading to Reflected Cross-Site Scripting"
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Cross-Site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/845f44ca-f572-48d7-a19a-89cace0b8993",
                  "refsource": "MISC",
                  "url": "https://wpscan.com/vulnerability/845f44ca-f572-48d7-a19a-89cace0b8993"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2022-2654",
        "datePublished": "2022-09-16T08:40:31.000Z",
        "dateReserved": "2022-08-04T00:00:00.000Z",
        "dateUpdated": "2025-06-05T18:18:42.406Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-2655 (GCVE-0-2022-2655)

    Vulnerability from cvelistv5 – Published: 2022-09-16 08:40 – Updated: 2024-08-03 00:46
    VLAI
    Title
    Classified Listing Pro < 2.0.20 - Reflected Cross-Site Scripting
    Summary
    The Classified Listing Pro WordPress plugin before 2.0.20 does not escape a generated URL before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Cross-Site Scripting (XSS)
    Assigner
    References
    Impacted products
    Credits
    Team ISH Tecnologia (Thiago Martins Jorge Buzeti Leandro Inacio Lucas de Souza Matheus Oliveira Filipe Baptistella Leonardo Paiva Jose Thomaz Joao Maciel Vinicius Pereira Geovanni Campos Hudson Nowak Guilherme Acerbi) and Islan Ferreira.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:46:03.372Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/acc9675a-56f6-411a-9594-07144c2aad1b"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Classified Listing Pro - Classified ads \u0026 Business Directory Plugin",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.0.20",
                  "status": "affected",
                  "version": "2.0.20",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Team ISH Tecnologia (Thiago Martins"
            },
            {
              "lang": "en",
              "value": "Jorge Buzeti"
            },
            {
              "lang": "en",
              "value": "Leandro Inacio"
            },
            {
              "lang": "en",
              "value": "Lucas de Souza"
            },
            {
              "lang": "en",
              "value": "Matheus Oliveira"
            },
            {
              "lang": "en",
              "value": "Filipe Baptistella"
            },
            {
              "lang": "en",
              "value": "Leonardo Paiva"
            },
            {
              "lang": "en",
              "value": "Jose Thomaz"
            },
            {
              "lang": "en",
              "value": "Joao Maciel"
            },
            {
              "lang": "en",
              "value": "Vinicius Pereira"
            },
            {
              "lang": "en",
              "value": "Geovanni Campos"
            },
            {
              "lang": "en",
              "value": "Hudson Nowak"
            },
            {
              "lang": "en",
              "value": "Guilherme Acerbi) and Islan Ferreira."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Classified Listing Pro WordPress plugin before 2.0.20 does not escape a generated URL before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-Site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-09-16T08:40:31.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpscan.com/vulnerability/acc9675a-56f6-411a-9594-07144c2aad1b"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Classified Listing Pro \u003c 2.0.20 - Reflected Cross-Site Scripting",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2022-2655",
              "STATE": "PUBLIC",
              "TITLE": "Classified Listing Pro \u003c 2.0.20 - Reflected Cross-Site Scripting"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Classified Listing Pro - Classified ads \u0026 Business Directory Plugin",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "2.0.20",
                                "version_value": "2.0.20"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Unknown"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Team ISH Tecnologia (Thiago Martins"
              },
              {
                "lang": "eng",
                "value": "Jorge Buzeti"
              },
              {
                "lang": "eng",
                "value": "Leandro Inacio"
              },
              {
                "lang": "eng",
                "value": "Lucas de Souza"
              },
              {
                "lang": "eng",
                "value": "Matheus Oliveira"
              },
              {
                "lang": "eng",
                "value": "Filipe Baptistella"
              },
              {
                "lang": "eng",
                "value": "Leonardo Paiva"
              },
              {
                "lang": "eng",
                "value": "Jose Thomaz"
              },
              {
                "lang": "eng",
                "value": "Joao Maciel"
              },
              {
                "lang": "eng",
                "value": "Vinicius Pereira"
              },
              {
                "lang": "eng",
                "value": "Geovanni Campos"
              },
              {
                "lang": "eng",
                "value": "Hudson Nowak"
              },
              {
                "lang": "eng",
                "value": "Guilherme Acerbi) and Islan Ferreira."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The Classified Listing Pro WordPress plugin before 2.0.20 does not escape a generated URL before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting"
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Cross-Site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/acc9675a-56f6-411a-9594-07144c2aad1b",
                  "refsource": "MISC",
                  "url": "https://wpscan.com/vulnerability/acc9675a-56f6-411a-9594-07144c2aad1b"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2022-2655",
        "datePublished": "2022-09-16T08:40:31.000Z",
        "dateReserved": "2022-08-04T00:00:00.000Z",
        "dateUpdated": "2024-08-03T00:46:03.372Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }