CVE-2024-1315

Name of the Vulnerable Software and Affected Versions The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress versions up to, and including, 3.0.4

Description The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the rtcl update user account function. This allows unauthenticated attackers to change the administrator user's password and email address via a forged request, granted they can trick a site administrator into performing an action. This results in the administrator being locked out of the site, while granting the attacker access to their account.

Recommendations For versions up to, and including, 3.0.4, update to a version that includes the fix for the nonce validation issue in the rtcl update user account function to prevent Cross-Site Request Forgery attacks. As a temporary workaround, consider restricting access to the rtcl update user account function until a patch is available.