CVE-2026-7563 Overview
CVE-2026-7563 is a missing authorization vulnerability in the Classified Listing – AI-Powered Classified ads & Business Directory Plugin for WordPress. The flaw affects all versions up to and including 5.3.10. The plugin fails to verify that a user is authorized to perform privileged actions on orders. Authenticated attackers with subscriber-level access or above can add arbitrary notes to any order. The same flaw allows them to trigger unsolicited notification and moderation emails to listing owners without administrative authorization. The vulnerability is classified under [CWE-862] Missing Authorization.
Critical Impact
Subscriber-level attackers can manipulate order notes and spam listing owners with unauthorized notification and moderation emails, abusing the WordPress installation to deliver attacker-controlled content.
Affected Products
- Classified Listing – AI-Powered Classified ads & Business Directory Plugin for WordPress
- All versions up to and including 5.3.10
- WordPress sites running the plugin with open subscriber registration
Discovery Timeline
- 2026-05-15 - CVE-2026-7563 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-7563
Vulnerability Analysis
The vulnerability resides in the order notes and comments handling logic of the Classified Listing plugin. The affected code paths span app/Controllers/Admin/ScriptLoader.php, app/Controllers/Ajax/ListingAdminAjax.php, and app/Controllers/Hooks/Comments.php. The plugin exposes AJAX endpoints and comment hooks that perform privileged actions without confirming the caller's capability against the target resource.
The attack vector is network-based and requires authenticated access at the subscriber tier. Subscriber accounts are typically granted automatically on sites that allow open registration. An attacker with such an account can issue crafted requests to the order-notes endpoint, attach arbitrary notes to orders they do not own, and cause the plugin to dispatch moderation and notification emails to listing owners. The functional impact is limited to integrity of order metadata and abuse of the site's outbound mail channel.
Root Cause
The root cause is the absence of a capability check tying the acting user to the target order. The plugin verifies that a session exists but does not call current_user_can() against an order-scoped capability before mutating order data or triggering downstream email hooks. This is a classic [CWE-862] Missing Authorization pattern where authentication is conflated with authorization.
Attack Vector
An authenticated subscriber sends an AJAX request to the listing admin endpoint referenced at ListingAdminAjax.php#L48, supplying an arbitrary order identifier and note payload. The handler accepts the request, persists the note, and invokes the comment hooks at Comments.php#L51 and Comments.php#L63, which generate moderation and notification emails to the listing owner. No administrative confirmation is required at any step.
Refer to the Wordfence Vulnerability Analysis and the WordPress Changeset #3527717 for the technical details and remediation diff.
Detection Methods for CVE-2026-7563
Indicators of Compromise
- Unexpected entries in the WordPress wp_comments or order-notes tables attributed to non-administrative user IDs.
- Spikes in outbound moderation or notification emails originating from the WordPress host to listing-owner addresses.
- AJAX requests to the admin-ajax.php endpoint invoking Classified Listing admin actions from subscriber-level accounts.
- Newly created subscriber accounts immediately followed by order-note POST requests.
Detection Strategies
- Inspect web server access logs for POST requests to admin-ajax.php containing Classified Listing action parameters issued by users without manage_options capability.
- Correlate database writes to order-notes tables with the user role of the authenticated session at the time of the request.
- Hunt for anomalous comment insertions where comment_author does not match the order owner or any administrator account.
Monitoring Recommendations
- Enable WordPress audit logging to record AJAX actions, role changes, and comment creation events.
- Monitor mail server queues for sudden volume increases from the WordPress host that could indicate abuse of the notification path.
- Alert on new user registrations followed by privileged plugin actions within a short time window.
How to Mitigate CVE-2026-7563
Immediate Actions Required
- Update the Classified Listing plugin to the version released in WordPress Changeset #3527717, which is the first release after 5.3.10.
- Audit existing order notes and comments for entries created by non-administrative accounts since the plugin was installed.
- Review and tighten WordPress user registration settings, disabling open subscriber signup where it is not required.
Patch Information
The vendor addressed the issue in the release referenced by WordPress Changeset #3527717. The patch adds capability checks to the affected AJAX handler and comment hooks so that only users authorized for the target order can add notes or trigger notification emails. Administrators should apply the update through the WordPress plugin manager and confirm the installed version is greater than 5.3.10.
Workarounds
- Restrict access to wp-admin/admin-ajax.php for the Classified Listing actions using a web application firewall rule until the patch is applied.
- Temporarily disable the Classified Listing plugin on sites that allow open subscriber registration if patching is delayed.
- Disable new user registration via Settings → General → Membership to remove the pool of attacker-controlled subscriber accounts.
# Configuration example: verify installed plugin version and update via WP-CLI
wp plugin get classified-listing --field=version
wp plugin update classified-listing
wp plugin list --name=classified-listing --status=active
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
