CVE-2026-42679

Vulnerability

The Classified Listing plugin for WordPress, in versions up to and including 5.3.8, contains an improper limitation of a pathname to a restricted directory, commonly known as path traversal. This vulnerability exists because the plugin fails to properly sanitize user-supplied input when handling file paths, allowing the application to access files outside of the intended directory structure [2].

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted request to the affected WordPress site. No authentication or specific user privileges are required to trigger the path traversal, making it accessible to remote, unauthenticated actors who can manipulate the request parameters to traverse the filesystem and target sensitive files [2].

Impact

Successful exploitation allows an attacker to download arbitrary files from the underlying server. This can lead to the unauthorized disclosure of sensitive information, including configuration files, database credentials, or site backups, potentially resulting in a full compromise of the WordPress installation [2].

Mitigation

Users should update the Classified Listing plugin to version 5.3.9 or later to resolve this vulnerability [2]. If an immediate update is not possible, site administrators are advised to implement web application firewall rules to block malicious requests targeting file paths until the plugin can be patched [2].