CVE-2026-7563

MEDIUM

Classified Listing <= 5.3.10 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via add_order_note and send_email_to_user_by_moderator AJAX Actions

Title source: cna

Description

The Classified Listing – AI-Powered Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 5.3.10. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to add arbitrary notes to any order and trigger unsolicited notification and moderation emails to listing owners without administrative authorization.

References (14)

Core 14

Core References

https://plugins.trac.wordpress.org/changeset/3527717/

https://www.wordfence.com/threat-intel/vulnerabilities/id/07cb3d57-d768-49a5-8af0-9dc4384487d5?source=cve

https://plugins.trac.wordpress.org/browser/classified-listing/trunk/app/Controllers/Hooks/Comments.php#L63

https://plugins.trac.wordpress.org/browser/classified-listing/tags/5.3.10/app/Controllers/Hooks/Comments.php#L63

https://plugins.trac.wordpress.org/browser/classified-listing/trunk/app/Controllers/Hooks/Comments.php#L51

https://plugins.trac.wordpress.org/browser/classified-listing/tags/5.3.10/app/Controllers/Hooks/Comments.php#L51

https://plugins.trac.wordpress.org/browser/classified-listing/trunk/app/Controllers/Ajax/ListingAdminAjax.php#L48

https://plugins.trac.wordpress.org/browser/classified-listing/tags/5.3.10/app/Controllers/Ajax/ListingAdminAjax.php#L48

https://plugins.trac.wordpress.org/browser/classified-listing/trunk/app/Controllers/Admin/ScriptLoader.php#L672

https://plugins.trac.wordpress.org/browser/classified-listing/tags/5.3.10/app/Controllers/Admin/ScriptLoader.php#L672

https://plugins.trac.wordpress.org/browser/classified-listing/tags/5.3.7/app/Controllers/Hooks/Comments.php#L63

https://plugins.trac.wordpress.org/browser/classified-listing/tags/5.3.7/app/Controllers/Hooks/Comments.php#L51

https://plugins.trac.wordpress.org/browser/classified-listing/tags/5.3.7/app/Controllers/Ajax/ListingAdminAjax.php#L48

https://plugins.trac.wordpress.org/browser/classified-listing/tags/5.3.7/app/Controllers/Admin/ScriptLoader.php#L672

Scores

CVSS v3 4.3

EPSS 0.0004

EPSS Percentile 11.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (1)

techlabpro1/Classified Listing – AI-Powered Classified ads & Business Directory Plugin < 5.3.10

Published May 15, 2026

Tracked Since May 15, 2026