CVE-2026-10779
Deferred Deferred - Pending Action

Missing Authorization in Classified Listing WordPress Plugin

Vulnerability report for CVE-2026-10779, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-19

Last updated on: 2026-06-22

Assigner: Wordfence

Description

The Classified Listing – Classified ads & Business Directory plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.4.2. This is due to a missing capability/ownership check on the gallery_image_update_as_feature AJAX handler (action: rtcl_fb_gallery_image_update_as_feature), which accepts a user-supplied listing ID and attachment ID and sets the featured image of a listing while only validating a nonce that is exposed to any logged-in user on the frontend listing-submission form. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the featured image of arbitrary listings they do not own.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-19
Last Modified
2026-06-22
Generated
2026-07-09
AI Q&A
2026-06-19
EPSS Evaluated
2026-07-08
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wp_job_manager classified_listing to 5.4.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Classified Listing – Classified ads & Business Directory plugin for WordPress has a vulnerability called Missing Authorization in all versions up to and including 5.4.2.

This vulnerability exists because the plugin does not properly check if a user has the right capability or ownership before allowing them to update the featured image of a listing via the gallery_image_update_as_feature AJAX handler.

Although the handler validates a nonce, this nonce is exposed to any logged-in user on the frontend listing-submission form, which means that any authenticated user with Subscriber-level access or higher can change the featured image of listings they do not own.

Impact Analysis

This vulnerability allows authenticated users with low-level access (Subscriber and above) to modify the featured images of listings they do not own.

Such unauthorized changes can lead to misinformation, misrepresentation of listings, or potential defacement of content on the affected WordPress site.

While it does not allow data disclosure or deletion, it impacts the integrity of the listings by allowing unauthorized image updates.

Compliance Impact

The vulnerability allows authenticated users with Subscriber-level access and above to change the featured image of arbitrary listings they do not own due to missing authorization checks.

However, there is no information provided in the available context or resources about how this vulnerability specifically impacts compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

To mitigate this vulnerability, you should update the Classified Listing – Classified ads & Business Directory plugin for WordPress to a version later than 5.4.2 where the missing authorization check has been fixed.

Additionally, restrict user roles to prevent Subscriber-level users or other low-privileged users from accessing the gallery_image_update_as_feature AJAX handler or submitting listings if possible.

Detection Guidance

This vulnerability involves the Classified Listing WordPress plugin's AJAX handler rtcl_fb_gallery_image_update_as_feature, which allows authenticated users with Subscriber-level access or higher to change the featured image of arbitrary listings without proper authorization.

To detect exploitation attempts on your system or network, you can monitor HTTP requests targeting the AJAX action rtcl_fb_gallery_image_update_as_feature, especially POST requests containing parameters for listing ID and attachment ID.

Example commands to detect such activity include:

  • Using grep on web server logs to find requests to the vulnerable AJAX action: grep 'rtcl_fb_gallery_image_update_as_feature' /var/log/apache2/access.log
  • Using tcpdump or tshark to capture HTTP POST requests containing the AJAX action: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'rtcl_fb_gallery_image_update_as_feature'
  • Using WP-CLI or custom scripts to check for unexpected changes in featured images of listings, especially those made by users with Subscriber-level permissions.

Note that detection relies on monitoring for suspicious AJAX requests or unexpected changes in listings, as the vulnerability itself is due to missing authorization checks rather than a visible error or crash.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10779. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart