CVE-2026-10779
Received Received - Intake
Missing Authorization in Classified Listing WordPress Plugin

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: Wordfence

Description
The Classified Listing – Classified ads & Business Directory plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.4.2. This is due to a missing capability/ownership check on the gallery_image_update_as_feature AJAX handler (action: rtcl_fb_gallery_image_update_as_feature), which accepts a user-supplied listing ID and attachment ID and sets the featured image of a listing while only validating a nonce that is exposed to any logged-in user on the frontend listing-submission form. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the featured image of arbitrary listings they do not own.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-19
Last Modified
2026-06-19
Generated
2026-06-19
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2026-10779
EUVD
EUVD-2026-37978
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wp_job_manager classified_listing to 5.4.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Classified Listing – Classified ads & Business Directory plugin for WordPress has a vulnerability called Missing Authorization in all versions up to and including 5.4.2.

This vulnerability exists because the plugin does not properly check if a user has the right capability or ownership before allowing them to update the featured image of a listing via the gallery_image_update_as_feature AJAX handler.

Although the handler validates a nonce, this nonce is exposed to any logged-in user on the frontend listing-submission form, which means that any authenticated user with Subscriber-level access or higher can change the featured image of listings they do not own.

Impact Analysis

This vulnerability allows authenticated users with low-level access (Subscriber and above) to modify the featured images of listings they do not own.

Such unauthorized changes can lead to misinformation, misrepresentation of listings, or potential defacement of content on the affected WordPress site.

While it does not allow data disclosure or deletion, it impacts the integrity of the listings by allowing unauthorized image updates.

Compliance Impact

The vulnerability allows authenticated users with Subscriber-level access and above to change the featured image of arbitrary listings they do not own due to missing authorization checks.

However, there is no information provided in the available context or resources about how this vulnerability specifically impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10779. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart