The vulnerability identified as CVE-2024-13753 affects the Ultimate Classified Listings plugin for WordPress, versions up to and including 1.4. It is a Cross-Site Request Forgery (CSRF) flaw categorized under CWE-352, caused by missing or incorrect nonce validation in the update_profile function. Nonces in WordPress are security tokens used to verify that requests originate from legitimate users and not from malicious third parties. In this case, the absence or improper implementation of nonce checks allows attackers to craft malicious web requests that, when executed by an authenticated user, modify the victim's email address without their consent. This unauthorized change can facilitate account takeover scenarios, especially if the attacker leverages password reset or account recovery processes tied to the email address. The vulnerability requires no authentication on the attacker's part but does require user interaction, such as clicking a specially crafted link or visiting a malicious website. The CVSS 3.1 base score of 8.1 indicates a high-severity issue with network attack vector, low attack complexity, no privileges required, user interaction required, and high impact on confidentiality and integrity. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the published date. The vulnerability was reserved on January 27, 2025, and published on February 20, 2025, by Wordfence. Given the widespread use of WordPress and the plugin's role in classified listings, this vulnerability poses a significant risk to website owners and users.

The primary impact of this vulnerability is the potential for account takeover through unauthorized modification of user email addresses. This compromises confidentiality by exposing user account control to attackers and integrity by allowing unauthorized changes to user data. Organizations running websites with the Ultimate Classified Listings plugin are at risk of user account compromises, which can lead to further unauthorized access, data breaches, or fraudulent activities. Attackers could exploit this vulnerability to hijack accounts, potentially gaining access to sensitive information or administrative functions if the compromised accounts have elevated privileges. The requirement for user interaction limits automated exploitation but does not eliminate risk, especially in phishing-prone environments. The vulnerability does not affect system availability directly but can lead to reputational damage, loss of user trust, and compliance issues if exploited. Given the plugin's use in classified listings, attackers might also manipulate listings or user profiles, further impacting business operations and user experience.

To mitigate this vulnerability, organizations should immediately update the Ultimate Classified Listings plugin to a version that includes proper nonce validation once available. In the absence of an official patch, administrators can implement manual nonce checks in the update_profile function to ensure requests are legitimate. Additionally, deploying Web Application Firewalls (WAFs) with custom rules to detect and block suspicious CSRF attempts targeting the plugin's endpoints can reduce risk. Educating users about phishing and social engineering tactics to avoid clicking on suspicious links is critical since exploitation requires user interaction. Administrators should also monitor user account changes, especially email modifications, and implement multi-factor authentication (MFA) to reduce the impact of account takeovers. Regular backups and incident response plans should be in place to quickly recover from potential compromises. Finally, limiting plugin usage to trusted environments and disabling unnecessary features can reduce the attack surface.