CVE-2026-42640

Vulnerability

An unauthenticated broken access control vulnerability exists in the WordPress Classified Listing plugin versions up to and including 5.3.8 [1]. The issue stems from missing authorization, authentication, or nonce token checks in a function, enabling unprivileged users to execute higher-privileged actions without proper validation [1].

Exploitation

An attacker can exploit this vulnerability remotely without any authentication or user interaction [1]. The attack vector is network-based, and no special privileges are required. The vulnerability is expected to be used in mass-exploit campaigns, targeting thousands of websites simultaneously [1].

Impact

Successful exploitation allows an unauthenticated attacker to perform unauthorized actions that should be restricted to higher-privileged users [1]. The CVSS v3 base score is 6.5 (Medium), indicating significant impact on confidentiality, integrity, or availability, though the exact scope of access gained depends on the specific function affected.

Mitigation

The vulnerability is fixed in version 5.3.9 or later of the plugin [1]. Users should update immediately to the patched version. If unable to update, users can employ a mitigation rule from Patchstack to block attacks until the update is applied [1]. No workaround other than updating or applying a virtual patch is mentioned.