CVE-2026-42651

Vulnerability

The WordPress Classified Listing plugin versions 5.3.9 and earlier contain a broken access control vulnerability that allows subscribers—users with the lowest default WordPress role—to execute functions meant for higher-privileged roles such as administrators. This occurs due to missing authorization or nonce checks in certain plugin components, making the affected code paths reachable by any authenticated subscriber. [1]

Exploitation

An attacker only needs a subscriber-level account on a WordPress site running a vulnerable version of the plugin. By sending crafted HTTP requests to the unprotected endpoints, the attacker can perform actions that should require elevated privileges, such as creating, editing, or deleting classified listings. No unusual network access or user interaction beyond standard web requests is required. [1]

Impact

Successful exploitation enables a subscriber to escalate privileges within the plugin's context, gaining unauthorized access to administrative functions. This can lead to unauthorized modification or disclosure of data. The vulnerability carries a CVSS v3 score of 6.3 (Medium) and is expected to be targeted in mass-exploit campaigns, affecting thousands of sites. [1]

Mitigation

The vendor released version 5.3.10 which fixes the broken access control issue. Users should update to version 5.3.10 or later immediately. For Patchstack users, auto-updates for vulnerable plugins can be enabled. No other workarounds have been disclosed. [1]