CVE-2024-1315 HIGH

CVE-2024-1315: Classified Listing <= 3.0.4 - Cross-Site Request Forgery to Account Takeover via rtcl_update_user_account

Vendor Techlabpro1
Product Classified Listing – AI-Powered Classified ads & Business Directory Plugin
Weakness CWE-352 · CSRF
Published April 9, 2024
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.4. This is due to missing or incorrect nonce validation on the 'rtcl_update_user_account' function. This makes it possible for unauthenticated attackers to change the administrator user's password and email address via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This locks the administrator out of the site and prevents them from resetting their password, while granting the attacker access to their account.

Key dates

02Disclosure timeline

April 9, 2024 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-24708 WordPress W3SPEEDSTER Plugin <= 7.19 is vulnerable to Cross Site Request Forgery (CSRF) CVE-2023-27441 WordPress New Adman Plugin <= 1.6.8 is vulnerable to Cross Site Request Forgery (CSRF) CVE-2020-7332 Cross-Site Request Forgery (CSRF) in firewall ePO extension of McAfee Endpoint Security (ENS) CVE-2023-6008 UserPro <= 5.1.1 - Cross-Site Request Forgery via multiple functions CVE-2026-27758 SODOLA SL902-SWTGW124AS <= 200.1.20 Missing CSRF Protections