{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24972", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:41.578Z", "datePublished": "2026-03-25T16:14:33.958Z", "dateUpdated": "2026-03-25T16:14:33.958Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "eltd-listing", "product": "Elated Listing", "vendor": "Elated-Themes", "versions": [{"changes": [{"at": "1.5", "status": "unaffected"}], "lessThanOrEqual": "<= 1.4", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:15.484Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Elated-Themes Elated Listing eltd-listing allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Elated Listing: from n/a through <= 1.4.</p>"}], "value": "Missing Authorization vulnerability in Elated-Themes Elated Listing eltd-listing allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Elated Listing: from n/a through <= 1.4."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:33.958Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/eltd-listing/vulnerability/wordpress-elated-listing-plugin-1-4-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Elated Listing plugin <= 1.4 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Elated-Themes Elated Listing eltd-listing allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Elated Listing: from n/a through <= 1.4."}], "id": "CVE-2026-24972", "lastModified": "2026-03-25T17:16:39.217", "metrics": {}, "published": "2026-03-25T17:16:39.217", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/eltd-listing/vulnerability/wordpress-elated-listing-plugin-1-4-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T18:16:59.672966+00:00", "value": {"mitigation_remediation": ["Upgrade the Elated Listing plugin to the latest version if one is available; if not, remove or deactivate the plugin until a fix is released.", "Limit WordPress user roles to prevent unauthorized users from accessing the admin area.", "Verify that WordPress core and other plugins are kept current to reduce overall attack surface."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Access and Data Modification"}, "threat_synthesis": {"affected_systems": "All WordPress sites using Elated-Themes' Elated Listing plugin with a version number of 1.4 or earlier are affected. Versions prior to the launch of the plugin also contain the flaw, as the issue exists from the earliest releases through the last vulnerable release.", "description_and_impact": "The Elated Listing plugin for WordPress suffers from a missing authorization check. Because the code does not verify that the user has sufficient privileges, any user who can reach the plugin\u2019s endpoints can perform actions reserved for administrators. This flaw permits the reading, modification, or deletion of listings\u2014and, where applicable, other administrative functions\u2014without authentication. The weakness corresponds to CWE\u2011862: Missing Authorization.", "risk_and_exploitability": "Because authentication is not required, an attacker only needs network access to the site. The vulnerability therefore has a high exploitation likelihood in the wild. No public exploit has been disclosed and the EPSS score is unavailable, but the lack of protective checks signals a substantial risk. The flaw is not recorded in any national known\u2011exploited\u2011vulnerability catalog, but administrators should treat it as a priority issue."}}}}, "created": "2026-03-25T21:34:37.131940+00:00", "updated": "2026-03-25T21:34:37.131966+00:00", "vendors": []}