CVE-2024-1352 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the Classified Listing – Classified ads & Business Directory Plugin for WordPress, developed by techlabpro1. The issue stems from the absence of proper capability checks in two critical functions: rtcl_import_location() and rtcl_import_category(). These functions are responsible for importing location and category terms within the plugin’s taxonomy system. Due to missing authorization, any authenticated user with subscriber-level privileges or higher can invoke these functions to create new terms, effectively modifying the site’s data structure without appropriate permissions. This flaw exists in all versions up to and including 3.0.4. The vulnerability is remotely exploitable over the network without requiring user interaction beyond authentication. The CVSS 3.1 base score is 6.5 (medium severity), with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N, indicating low attack complexity, no privileges required beyond subscriber access, and impacts on confidentiality and integrity but not availability. While no public exploits have been reported, the vulnerability could be abused to manipulate site content, potentially enabling further attacks such as phishing, misinformation, or unauthorized data insertion within classified listings or business directories. The plugin’s widespread use in WordPress ecosystems makes this a relevant concern for many organizations relying on it for classified ads or business directory functionality.

The primary impact of CVE-2024-1352 is unauthorized modification of site data, specifically the creation of taxonomy terms such as categories and locations within the plugin’s classified listings. This can undermine data integrity and trustworthiness of the directory or classified ads content, potentially misleading users or enabling malicious content insertion. Attackers with subscriber-level access (which is a low privilege level in WordPress) can exploit this vulnerability, increasing the attack surface significantly. Although availability is not affected, the confidentiality and integrity of site data are at risk, which can lead to reputational damage, loss of user trust, and potential downstream attacks if malicious terms are used to redirect users or inject harmful links. Organizations relying on this plugin for business-critical listings or classified ads may face operational disruption or brand damage. Since no authentication beyond subscriber level is required, any compromised or registered user account can be leveraged for exploitation, increasing the likelihood of attack in environments with open registrations or weak user controls.

To mitigate CVE-2024-1352, organizations should immediately update the Classified Listing plugin to a patched version once released by the vendor. Until an official patch is available, administrators should restrict user roles that have subscriber-level or higher access from untrusted users to minimize risk. Implement custom capability checks or filters to enforce authorization on the rtcl_import_location() and rtcl_import_category() functions if possible. Monitoring and logging attempts to create new taxonomy terms can help detect exploitation attempts. Additionally, employing a Web Application Firewall (WAF) with rules targeting suspicious POST requests to the plugin’s endpoints may reduce attack surface. Regularly audit user accounts and permissions to ensure no unauthorized users have subscriber or higher roles. Educate site administrators about the risk and encourage prompt application of security updates. Finally, consider isolating or disabling the plugin if classified listing functionality is not critical until a fix is applied.