What the vulnerability does
01Description
The Classified Listing – AI-Powered Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the "rtcl_ajax_add_listing_type", "rtcl_ajax_update_listing_type", and "rtcl_ajax_delete_listing_type" function in all versions up to, and including, 5.2.0. This makes it possible for authenticated attackers, with subscriber level access and above, to add, update, or delete listing types.
Explanation of Vulnerability in Simple Terms
02Summary
The Classified Listing plugin for WordPress contains a missing authorization flaw that allows authenticated users to modify data they should not have access to. An attacker with a low-privilege account can alter listings or other content without proper permission checks. The vulnerability affects versions up to 5.2.0 and requires an active user account to exploit.
What an attacker can do
03Attacker Capabilities
Modify listings or content belonging to other users or the site without proper authorization.
Potential impact on your site
04Site Impact
Unauthorized changes to classified listings, business directory entries, or other plugin data by authenticated users.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege WordPress user account (e.g., subscriber or contributor role).
Key dates
06Disclosure timeline
November 11, 2025
CVE published
April 8, 2026
Record updated