CVE-2023-37387 – WordPress Classified Listing Plugin <= 2.4.5 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-37387
Cross-Site Request Forgery (CSRF) vulnerability in RadiusTheme Classified Listing plugin <= 2.4.5 versions. The Classified Listing plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4.5. This is due to missing or incorrect nonce validation on the rtcl_ajax_thumbnail_delete function. This makes it possible for unauthenticated attackers to delete the post thumbnail via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/classified-listing/wordpress-classified-listing-plugin-2-4-5-cross-site-request-forgery-csrf-leading-to-thumbnail-removal-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2022-2654 – Classima < 2.1.11 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-2654
The Classima WordPress theme before 2.1.11 and some of its required plugins (Classified Listing before 2.2.14, Classified Listing Pro before 2.0.20, Classified Listing Store & Membership before 1.4.20 and Classima Core before 1.10) do not escape a parameter before outputting it back in attributes, leading to Reflected Cross-Site Scripting El tema Classima de WordPress versiones anteriores a 2.1.11 y algunos de sus plugins necesarios (Classified Listing versiones anteriores a 2.2.14, Classified Listing Pro versiones anteriores a 2.0.20, Classified Listing Store & Membership versiones anteriores a 1.4.20 y Classima Core versiones anteriores a 1.10) no escapan un parámetro antes de devolverlo en atributos, conllevando a una taque de tipo Cross-Site Scripting Reflejado The Classima theme for WordPress is vulnerable to Reflected Cross-site Scripting in versions up to 2.1.11 due to insufficient input sanitization and output escaping on the 'q' parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This also affects the Classified Listing plugin before 2.2.14, Classified Listing Pro plugin before 2.0.20, Classified Listing Store & Membership plugin before 1.4.20 and Classima Core plugin before 1.10 • https://wpscan.com/vulnerability/845f44ca-f572-48d7-a19a-89cace0b8993 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-2655 – Classified Listing Pro < 2.0.20 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-2655
The Classified Listing Pro WordPress plugin before 2.0.20 does not escape a generated URL before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting El plugin Classified Listing Pro de WordPress versiones anteriores a 2.0.20, no escapa de una URL generada antes de devolverla a un atributo en una página de administración, conllevando a un ataque de tipo Cross-Site Scripting Reflejado The Classified Listing Pro plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL in versions up to 2.0.20 due to insufficient input sanitization and output escaping on the URL being requested and reflected on the page. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://wpscan.com/vulnerability/acc9675a-56f6-411a-9594-07144c2aad1b • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •