CVE-2024-1315 Overview
CVE-2024-1315 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Classified Listing – Classified ads & Business Directory Plugin for WordPress. The flaw exists in all versions up to and including 3.0.4. It stems from missing or incorrect nonce validation on the rtcl_update_user_account function. An unauthenticated attacker can trick a site administrator into clicking a crafted link, which silently changes the administrator account's password and email address. This locks out the legitimate administrator and grants full account takeover to the attacker [CWE-352].
Critical Impact
Successful exploitation results in WordPress administrator account takeover, password reset lockout, and complete compromise of the affected site.
Affected Products
- Radiustheme Classified Listing plugin for WordPress, versions up to and including 3.0.4
- WordPress sites running the Classified ads & Business Directory Plugin
- Plugin builds referencing the vulnerable rtcl_update_user_account AJAX handler in app/Controllers/Ajax/PublicUser.php
Discovery Timeline
- 2024-04-09 - CVE-2024-1315 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2024-1315
Vulnerability Analysis
The vulnerability resides in the plugin's account update workflow. The rtcl_update_user_account AJAX function processes requests to modify user account attributes, including password and email. The handler does not properly validate a WordPress nonce token tied to the authenticated session. Without nonce validation, the server cannot distinguish between a legitimate request from the WordPress admin interface and a forged request originating from a malicious site.
When an authenticated administrator visits an attacker-controlled page, the page can issue a cross-origin request to the vulnerable endpoint. The browser automatically attaches the administrator's session cookies. The plugin accepts the request as authentic and writes the attacker-supplied password and email to the administrator account. The attacker then logs in and uses the new email address to block recovery attempts.
Root Cause
The root cause is the absence of a proper check_ajax_referer or equivalent nonce verification in the rtcl_update_user_account handler. WordPress provides nonce primitives specifically to defeat CSRF, but the handler skipped or incorrectly implemented this check. The fix landed in version 3.0.5, as shown by the diff between tags 3.0.1 and 3.0.5 in the plugin source tree.
Attack Vector
Exploitation requires user interaction. The attacker hosts a page containing an auto-submitting HTML form or JavaScript that issues a POST request to the target site's admin-ajax.php endpoint with action=rtcl_update_user_account and attacker-chosen password and email parameters. The attacker delivers the link through phishing, a comment field, or another social channel. When a logged-in administrator opens the link, the browser submits the forged request with valid session cookies, and the account is silently overwritten.
No authentication or privileges are required from the attacker. Refer to the Wordfence Vulnerability Report for additional analysis.
Detection Methods for CVE-2024-1315
Indicators of Compromise
- Unexpected changes to the administrator user's email address or password in wp_users and wp_usermeta tables
- POST requests to /wp-admin/admin-ajax.php with action=rtcl_update_user_account originating from external Referer headers
- Failed administrator login attempts followed by successful logins from unfamiliar IP addresses
- New administrator sessions immediately preceded by web requests carrying off-site referrers
Detection Strategies
- Inventory WordPress sites running the Classified Listing plugin and flag any instance at version 3.0.4 or earlier
- Inspect web server access logs for admin-ajax.php calls invoking the rtcl_update_user_account action with cross-origin referrers
- Correlate WordPress audit log entries for administrator email or password changes with the timing of suspicious AJAX requests
Monitoring Recommendations
- Enable a WordPress activity logging plugin to record account modifications with originating IP and referrer data
- Alert on any change to a user account with the administrator role outside of approved maintenance windows
- Monitor outbound mail logs for password reset notifications sent to unfamiliar email addresses
How to Mitigate CVE-2024-1315
Immediate Actions Required
- Update the Classified Listing plugin to version 3.0.5 or later on every affected WordPress site
- Audit all administrator accounts for unauthorized email or password changes and restore legitimate values
- Force a password reset for all privileged users and invalidate active sessions
- Review recent administrator activity for unauthorized plugin installs, theme edits, or new user creations
Patch Information
The vendor remediated the issue in Classified Listing version 3.0.5 by adding nonce validation to the rtcl_update_user_account handler in app/Controllers/Ajax/PublicUser.php. Compare the vulnerable 3.0.1 handler with the patched 3.0.5 handler to confirm the fix.
Workarounds
- If immediate patching is not possible, deactivate the Classified Listing plugin until the update is applied
- Restrict administrator access to dedicated browsers or sessions that do not visit untrusted external links
- Deploy a web application firewall rule blocking POST requests to admin-ajax.php with action=rtcl_update_user_account when the Referer is not the site's own domain
# Example WAF rule (ModSecurity) to block cross-origin requests to the vulnerable action
SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" \
"chain,phase:2,deny,status:403,id:1003151,msg:'Block CSRF on rtcl_update_user_account'"
SecRule ARGS:action "@streq rtcl_update_user_account" "chain"
SecRule REQUEST_HEADERS:Referer "!@beginsWith https://your-site.example/"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
