Vulnerability Description
The Ultimate Classified Listings plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the update_profile function. This makes it possible for unauthenticated attackers to modify victim's email via a forged request, which might lead to account takeover, granted they can trick a user into performing an action such as clicking on a link.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Webcodingplace | Ultimate Classified Listings | <= 1.4 |
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/ultimate-classified-listings/tags/1.4Patch
- https://plugins.trac.wordpress.org/changeset/3251583/ultimate-classified-listing
- https://www.wordfence.com/threat-intel/vulnerabilities/id/61365b95-da97-425d-a31Third Party Advisory
FAQ
What is CVE-2024-13753?
CVE-2024-13753 is a vulnerability with a CVSS score of 8.1 (HIGH). The Ultimate Classified Listings plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the...
How severe is CVE-2024-13753?
CVE-2024-13753 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-13753?
Check the references section above for vendor advisories and patch information. Affected products include: Webcodingplace Ultimate Classified Listings.