Classified Listing <= 5.3.10 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via add_order_note and send_email_to_user_by_moderator AJAX Actions

Summary

CVE	CVE-2026-7563
State	PUBLISHED
Assigner	Wordfence
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-05-15 09:16:17 UTC
Updated	2026-05-15 09:16:17 UTC
Description	The Classified Listing – AI-Powered Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 5.3.10. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to add arbitrary notes to any order and trigger unsolicited notification and moderation emails to listing owners without administrative authorization.

Risk And Classification

Primary CVSS: v3.1 4.3 MEDIUM from [email protected]

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Problem Types: CWE-862 | CWE-862 CWE-862 Missing Authorization

Version	Source	Type	Score	Severity	Vector
3.1	[email protected]	Primary	4.3	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N`
3.1	CNA	DECLARED	4.3	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N`

CVSS v3.1 Breakdown

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Techlabpro1	Classified Listing AI-Powered Classified Ads Business Directory Plugin	affected 5.3.10 semver	Not specified

References

Reference	Source	Link	Tags
plugins.trac.wordpress.org/browser/classified-listing/tags/5.3.7/app/Controllers/Admin/S...	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/classified-listing/tags/5.3.7/app/Controllers/Ajax/Li...	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/classified-listing/tags/5.3.10/app/Controllers/Admin/...	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/classified-listing/trunk/app/Controllers/Admin/Script...	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/changeset/3527717	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/classified-listing/trunk/app/Controllers/Ajax/Listing...	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/classified-listing/trunk/app/Controllers/Hooks/Commen...	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/classified-listing/tags/5.3.10/app/Controllers/Hooks/...	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/classified-listing/tags/5.3.7/app/Controllers/Hooks/C...	[email protected]	plugins.trac.wordpress.org
www.wordfence.com/threat-intel/vulnerabilities/id/07cb3d57-d768-49a5-8af0-9dc43...	[email protected]	www.wordfence.com
plugins.trac.wordpress.org/browser/classified-listing/tags/5.3.7/app/Controllers/Hooks/C...	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/classified-listing/trunk/app/Controllers/Hooks/Commen...	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/classified-listing/tags/5.3.10/app/Controllers/Hooks/...	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/classified-listing/tags/5.3.10/app/Controllers/Ajax/L...	[email protected]	plugins.trac.wordpress.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

CNA: momopon1415 (en)

Additional Advisory Data

Source	Time	Event
CNA	2026-04-30T20:30:46.000Z	Vendor Notified
CNA	2026-05-14T19:53:53.000Z	Disclosed

There are currently no legacy QID mappings associated with this CVE.