{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23546", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-14T08:36:07.869Z", "datePublished": "2026-03-05T05:53:48.361Z", "dateUpdated": "2026-04-28T16:14:46.840Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "classified-listing", "product": "Classified Listing", "vendor": "RadiusTheme", "versions": [{"changes": [{"at": "5.3.5", "status": "unaffected"}], "lessThanOrEqual": "5.3.4", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:54.275Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Insertion of Sensitive Information Into Sent Data vulnerability in RadiusTheme Classified Listing classified-listing allows Retrieve Embedded Sensitive Data.<p>This issue affects Classified Listing: from n/a through <= 5.3.4.</p>"}], "value": "Insertion of Sensitive Information Into Sent Data vulnerability in RadiusTheme Classified Listing classified-listing allows Retrieve Embedded Sensitive Data.This issue affects Classified Listing: from n/a through <= 5.3.4."}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "Retrieve Embedded Sensitive Data"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-201", "description": "Insertion of Sensitive Information Into Sent Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:46.840Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/classified-listing/vulnerability/wordpress-classified-listing-plugin-5-3-4-sensitive-data-exposure-vulnerability?_s_id=cve"}], "title": "WordPress Classified Listing plugin <= 5.3.4 - Sensitive Data Exposure vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T19:45:39.140773Z", "id": "CVE-2026-23546", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T15:43:22.857Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23546", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T19:45:39.140773Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T19:44:50.455Z"}}], "cna": {"title": "WordPress Classified Listing plugin <= 5.3.4 - Sensitive Data Exposure vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "Retrieve Embedded Sensitive Data"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "RadiusTheme", "product": "Classified Listing", "versions": [{"status": "affected", "changes": [{"at": "5.3.5", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "5.3.4"}], "packageName": "classified-listing", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:04:54.275Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/classified-listing/vulnerability/wordpress-classified-listing-plugin-5-3-4-sensitive-data-exposure-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Insertion of Sensitive Information Into Sent Data vulnerability in RadiusTheme Classified Listing classified-listing allows Retrieve Embedded Sensitive Data.This issue affects Classified Listing: from n/a through <= 5.3.4.", "supportingMedia": [{"type": "text/html", "value": "Insertion of Sensitive Information Into Sent Data vulnerability in RadiusTheme Classified Listing classified-listing allows Retrieve Embedded Sensitive Data.<p>This issue affects Classified Listing: from n/a through <= 5.3.4.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-201", "description": "Insertion of Sensitive Information Into Sent Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:46.840Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23546", "state": "PUBLISHED", "dateUpdated": "2026-04-28T16:14:46.840Z", "dateReserved": "2026-01-14T08:36:07.869Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-05T05:53:48.361Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Insertion of Sensitive Information Into Sent Data vulnerability in RadiusTheme Classified Listing classified-listing allows Retrieve Embedded Sensitive Data.This issue affects Classified Listing: from n/a through <= 5.3.4."}, {"lang": "es", "value": "Vulnerabilidad de Inserci\u00f3n de Informaci\u00f3n Sensible en Datos Enviados en RadiusTheme Classified Listing classified-listing permite Recuperar Datos Sensibles Incrustados. Este problema afecta a Classified Listing: desde n/a hasta &lt;= 5.3.4."}], "id": "CVE-2026-23546", "lastModified": "2026-04-22T21:26:58.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T06:16:22.093", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/classified-listing/vulnerability/wordpress-classified-listing-plugin-5-3-4-sensitive-data-exposure-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-201"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.3.4]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "5.3.5"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Classified Listing", "source": "cna", "vendor": "RadiusTheme"}, "product": "classified_listing", "vendor": "radiustheme"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-17T12:51:52.873702+00:00", "value": {"mitigation_remediation": ["Upgrade the Classified Listing plugin to version 5.3.5 or later to remove the data exposure flaw.", "If the plugin\u2019s functionality is not essential, disable or uninstall it to eliminate the vulnerable code path.", "After updating, review the plugin\u2019s public endpoints for inadvertent exposure of sensitive information and apply strict access controls where appropriate.", "Monitor server logs for abnormal requests that attempt to retrieve private data, and investigate any suspicious activity."], "summary": {"action": "Patch", "impact": "Sensitive Data Exposure"}, "threat_synthesis": {"affected_systems": "All installations of RadiusTheme's Classified Listing plugin from its earliest release up through version 5.3.4 are affected. Users should verify whether their WordPress site contains this plugin and check the installed version number to assess exposure.", "description_and_impact": "The RadiusTheme Classified Listing plugin suffers from a CWE-201 flaw that allows an attacker to retrieve sensitive data embedded in the plugin\u2019s responses. The vulnerability arises from the plugin\u2019s data handling process, which fails to properly conceal confidential information. It is inferred that no additional privileges are required because the description does not mention authentication or elevation, and the data can be accessed through normal plugin functionality. The impact is the disclosure of sensitive information, compromising confidentiality and potentially enabling further exploitation.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests a very low probability of exploitation presently. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, which means no confirmed public exploits exist. The likely attack vector is HTTP requests aimed at the plugin\u2019s exposed endpoints, a vector that appears to be remote and available to unauthenticated users; this inference is drawn from the nature of the data exposure described. The lack of reported exploits and the low EPSS score imply that the risk remains primarily theoretical, yet remediation is recommended to eliminate the potential data leakage."}}}}, "created": "2026-03-06T15:13:52.548976+00:00", "updated": "2026-04-17T13:00:12.013215+00:00", "vendors": ["radiustheme", "radiustheme$PRODUCT$classified_listing", "wordpress", "wordpress$PRODUCT$wordpress"]}