Medium severity4.3NVD Advisory· Published May 15, 2026· Updated May 15, 2026
CVE-2026-7563
CVE-2026-7563
Description
The Classified Listing – AI-Powered Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 5.3.10. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to add arbitrary notes to any order and trigger unsolicited notification and moderation emails to listing owners without administrative authorization.
Affected products
1- Range: <=5.3.10
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
14- plugins.trac.wordpress.org/browser/classified-listing/tags/5.3.10/app/Controllers/Admin/ScriptLoader.phpnvd
- plugins.trac.wordpress.org/browser/classified-listing/tags/5.3.10/app/Controllers/Ajax/ListingAdminAjax.phpnvd
- plugins.trac.wordpress.org/browser/classified-listing/tags/5.3.10/app/Controllers/Hooks/Comments.phpnvd
- plugins.trac.wordpress.org/browser/classified-listing/tags/5.3.10/app/Controllers/Hooks/Comments.phpnvd
- plugins.trac.wordpress.org/browser/classified-listing/tags/5.3.7/app/Controllers/Admin/ScriptLoader.phpnvd
- plugins.trac.wordpress.org/browser/classified-listing/tags/5.3.7/app/Controllers/Ajax/ListingAdminAjax.phpnvd
- plugins.trac.wordpress.org/browser/classified-listing/tags/5.3.7/app/Controllers/Hooks/Comments.phpnvd
- plugins.trac.wordpress.org/browser/classified-listing/tags/5.3.7/app/Controllers/Hooks/Comments.phpnvd
- plugins.trac.wordpress.org/browser/classified-listing/trunk/app/Controllers/Admin/ScriptLoader.phpnvd
- plugins.trac.wordpress.org/browser/classified-listing/trunk/app/Controllers/Ajax/ListingAdminAjax.phpnvd
- plugins.trac.wordpress.org/browser/classified-listing/trunk/app/Controllers/Hooks/Comments.phpnvd
- plugins.trac.wordpress.org/browser/classified-listing/trunk/app/Controllers/Hooks/Comments.phpnvd
- plugins.trac.wordpress.org/changeset/3527717/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/07cb3d57-d768-49a5-8af0-9dc4384487d5nvd
News mentions
1- Wordfence Intelligence Weekly WordPress Vulnerability Report (April 27, 2026 to May 3, 2026)Wordfence Blog · May 7, 2026