CVE-2024-1315Radiustheme · Classified_listing
Vulnerability data via NVD (ingested)
The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.4. This is due to missing or incorrect nonce validation on the 'rtcl_update_user_account' function. This makes it possible for unauthenticated attackers to change the administrator user's password and email address via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This locks the administrator out of the site and prevents them from resetting their password, while granting the attacker access to their account.
External references
Search for exposed instances
Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).
vuln:CVE-2024-1315http.html:"/wp-content/plugins/classified-listing/"product:"Radiustheme Classified Listing"http.html:"Classified Listing"More intel sources (5)
vuln:CVE-2024-1315vulnerabilities.cve_id: CVE-2024-1315CVE-2024-1315CVE-2024-1315"CVE-2024-1315" exploit -site:nvd.nist.gov