cleantalk
Vulnerabilities and Security Researches

Classified Listing – Classified ads & Business Directory Plugin, CVE-2024-11194

CVE, Research URL

CVE-2024-11194

Home page URL

Security reports for Classified Listing – Classified ads & Business Directory Plugin

Application

Classified Listing – Classified ads & Business Directory Plugin

Published on
Nov 19, 2024
Research Description
The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a misconfigured check on the 'rtcl_import_settings' function in all versions up to, and including, 3.1.15.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update limited arbitrary options on the WordPress site. This can be leveraged to update the Subscriber role with Administrator-level capabilities to gain administrative user access to a vulnerable site. The vulnerability is limited in that the option updated must have a value that is an array.
Affected versions
Min -, max 3.1.16.
Status
vulnerable
Previous vulnerability researches
Ultimate Classified Listings (CVE-2024-52487) , Nov 23, 2024
Ultimate Classified Listings (CVE-2024-52448) , Nov 22, 2024
Ultimate Classified Listings (CVE-2024-13753) , Feb 22, 2025
Ultimate Classified Listings (CVE-2024-13748) , Feb 22, 2025
Ultimate Classified Listings (CVE-2024-5882) , Jul 17, 2024
New vulnerability
WP Simple Booking Calendar (CVE-2025-39541) , Apr 20, 2025
WordPress Job Board and Recruitment Plugin – JobWP (CVE-2025-2010) , Apr 20, 2025
WP Logger (CVE-2025-39456) , Apr 20, 2025
visualslider Sldier (CVE-2025-23448) , Apr 20, 2025
RSS Manager (CVE-2025-39418) , Apr 20, 2025