PT-2026-41278 · WordPress · Classified Listing

Momopon1415

·

Published

2026-05-15

·

Updated

2026-05-15

·

CVE-2026-7563

CVSS v3.1

4.3

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Name of the Vulnerable Software and Affected Versions Classified Listing – AI-Powered Classified ads & Business Directory Plugin versions prior to 5.3.11
Description The plugin fails to properly verify user authorization for certain actions. This allows authenticated attackers with subscriber-level access or higher to add arbitrary notes to any order and trigger unsolicited notification and moderation emails to listing owners without administrative authorization. This is achieved through the AJAX actions add order note and send email to user by moderator.
Recommendations Update to a version later than 5.3.10.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-7563

Affected Products

Classified Listing