CVE-2024-13753 — Cross-Site Request Forgery in Ultimate Classified Listings

CWE-352 — Cross-Site Request Forgery3 documents3 sources

Severity

8.8HIGHNVD

CNA8.1

EPSS

0.1%

top 65.79%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Webcodingplace Ultimate Classified Listings

Timeline

PublishedFeb 20

Description

The Ultimate Classified Listings plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the update_profile function. This makes it possible for unauthenticated attackers to modify victim's email via a forged request, which might lead to account takeover, granted they can trick a user into performing an action such as clicking on a link.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5webcodingplace/ultimate_classified_listings1.5

▶NVDwebcodingplace/ultimate_classified_listings1.4

Patches

Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

CVEList

Ultimate Classified Listings <= 1.5 - Cross-Site Request Forgery to Account Takeover↗2025-02-20

▶

GHSA

GHSA-gf8q-w7qq-42f4: The Ultimate Classified Listings plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1↗2025-02-20

▶