cleantalk
Vulnerabilities and Security Researches

Ultimate Classified Listings, CVE-2024-13753

CVE, Research URL

CVE-2024-13753

Home page URL

Security reports for Ultimate Classified Listings

Application

Ultimate Classified Listings

Published on
Feb 20, 2025
Research Description
The Ultimate Classified Listings plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the update_profile function. This makes it possible for unauthenticated attackers to modify victim's email via a forged request, which might lead to account takeover, granted they can trick a user into performing an action such as clicking on a link.
Affected versions
Min -, max 1.4.
Status
vulnerable
Previous vulnerability researches
Ultimate Classified Listings (CVE-2024-52487) , Nov 23, 2024
Ultimate Classified Listings (CVE-2024-52448) , Nov 22, 2024
Ultimate Classified Listings (CVE-2024-13753) , Feb 22, 2025
Ultimate Classified Listings (CVE-2024-13748) , Feb 22, 2025
Ultimate Classified Listings (CVE-2024-5882) , Jul 17, 2024
New vulnerability
SB Chart block (CVE-2025-3661) , Apr 20, 2025
Themesflat Addons For Elementor (CVE-2025-3275) , Apr 20, 2025
WP Simple Booking Calendar (CVE-2025-39541) , Apr 20, 2025
WordPress Job Board and Recruitment Plugin – JobWP (CVE-2025-2010) , Apr 20, 2025
WP Logger (CVE-2025-39456) , Apr 20, 2025