CVE-2026-42679 Mamunur Rashid CVE debrief

Who should care

WordPress site administrators using the Classified Listing plugin, security teams managing WordPress deployments, and hosting providers offering managed WordPress services.

Technical summary

The Classified Listing plugin for WordPress fails to properly limit pathnames to restricted directories, enabling authenticated attackers with low privileges to exploit path traversal sequences. Successful exploitation can lead to arbitrary file download, exposing sensitive server-side files such as configuration files, credentials, or source code. The vulnerability is remotely exploitable with low attack complexity and does not require user interaction.

Defensive priority

medium

Recommended defensive actions

• Update the Classified Listing WordPress plugin to a version newer than 5.3.8 if available, or apply vendor-supplied patches referenced in security advisories.
• Restrict or monitor access to plugin endpoints that handle file download or path parameters until patching is complete.
• Review server file access logs for anomalous download requests containing directory traversal sequences (e.g., '../' or encoded equivalents) targeting the plugin.
• Validate and sanitize all user-supplied path inputs within the plugin to ensure they resolve within intended directories.
• Consider implementing Web Application Firewall (WAF) rules to block path traversal patterns in requests to the affected plugin.

Evidence notes

The vulnerability was reported to the Wordfence Intelligence and Patchstack databases. The NVD record lists the vulnerability status as 'Deferred' and references Patchstack as the source of the advisory. The affected product is the 'Classified Listing' WordPress plugin by Mamunur Rashid, with affected versions from n/a through 5.3.8. The CVSS vector confirms network-based attack with low privileges required (PR:L) and high confidentiality impact (C:H).

Official resources