CVE-2026-10779

Threats › CVE-2026-10779

Category: wordpress-vulnerability Published: 2026-06-18 Source updated: 2026-06-19 First seen: 2026-06-18 20:08 UTC Last updated: 2026-06-19 08:08 UTC Source: Wordfence

Description

The Classified Listing – Classified ads & Business Directory plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.4.2. This is due to a missing capability/ownership check on the gallery_image_update_as_feature AJAX handler (action: rtcl_fb_gallery_image_update_as_feature), which accepts a user-supplied listing ID and attachment ID and sets the featured image of a listing while only validating a nonce that is exposed to any logged-in user on the frontend listing-submission form. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the featured image of arbitrary listings they do not own. Affected software — plugin: Classified Listing – AI-Powered Classified ads & Business Directory (affected: *-5.4.2). CVSS 4.3 (Medium) — CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N.

Remediations (3)

Wordfence remediation: Classified Listing – AI-Powered Classified ads & Business Directory

Wordfence

Update to version 5.4.3, or a newer patched version

2026-06-19 08:08 UTC
Wordfence remediation: Classified Listing – AI-Powered Classified ads & Business Directory

Wordfence

Update to version 5.4.3, or a newer patched version

2026-06-19 02:09 UTC
Wordfence remediation: Classified Listing – AI-Powered Classified ads & Business Directory

Wordfence

Update to version 5.4.3, or a newer patched version

2026-06-18 20:08 UTC

Indicators of Compromise (1)

Each indicator is enriched from the IOC database, threat-intel feed corroboration (Threat Hunt) and VirusTotal. Click one to expand.

cve CVE-2026-10779

IOC database

Type: cve
Value: CVE-2026-10779
First seen: 2026-06-18 20:08 UTC
Last seen: 2026-06-19 06:08 UTC
Attached to this threat: 2026-06-18 20:08 UTC
Appears in: 1 threat
Description: Classified Listing <= 5.4.2 - Missing Authorization to Authenticated (Subscriber+) Feature Modification via Multiple AJAX Handlers ('listingId'/'id' Parameters)

Open the full IOC page →

Threat Hunt — feed corroboration

Not present in any configured threat-intel feed.

Details From VirusTotal

No VirusTotal details cached for this IOC. Open the IOC page to query VirusTotal.

References (3)

CVE record: CVE-2026-10779 Wordfence
Wordfence vulnerability detail Wordfence
https://www.wordfence.com/threat-intel/vulnerabilities/id/5f7660ba-c3be-44f0-91cb-809d0021759a?source=api-prod Wordfence

AI Forensic Analysis

Only Available for Registered Users. Sign in to view.

CVE-2026-10779 medium

Classified Listing <= 5.4.2 - Missing Authorization to Authenticated (Subscriber+) Feature Modification via Multiple AJAX Handlers ('listingId'/'id' Parameters)