CVE-2024-39623

High

Published: 02 January 2025

Published

02 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0010 27.7th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Cross-Site Request Forgery (CSRF) vulnerability in CridioStudio ListingPro listingpro allows Authentication Bypass.This issue affects ListingPro: from n/a through <= 2.9.4.

Security Summary

CVE-2024-39623 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the CridioStudio ListingPro WordPress theme. This issue affects ListingPro versions from n/a through 2.9.4 and allows authentication bypass. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, no required privileges, and high impacts across confidentiality, integrity, and availability.

Attackers can exploit this vulnerability remotely without authentication by tricking authenticated users into interacting with a malicious site or resource, such as clicking a crafted link. This user interaction enables the CSRF attack, resulting in authentication bypass and potential account takeover.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/listingpro/vulnerability/wordpress-listingpro-theme-2-9-3-cross-site-request-forgery-csrf-to-account-takeover-vulnerability?_s_id=cve.

Details

CWE(s): CWE-352

Affected Products

cridio

listingpro

≤ 2.9.5

References

https://patchstack.com/database/Wordpress/Theme/listingpro/vulnerability/wordpress-listingpro-theme-2-9-3-cross-site-request-forgery-csrf-to-account-takeover-vulnerability?_s_id=cve
Third Party Advisory · audit@patchstack.com