CVE-2025-12574
BaseFortify
Publication date: 2025-12-06
Last updated on: 2025-12-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| passionui | listar_directory_listing_and_classifieds_wordpress_plugin | 3.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Listar β Directory Listing & Classifieds WordPress Plugin up to version 3.0.0. It is caused by a missing capability check on the '/wp-json/listar/v1/place/delete' REST API endpoint, allowing authenticated users with Subscriber-level access or higher to delete arbitrary posts without proper authorization.
How can this vulnerability impact me? :
An attacker with at least Subscriber-level access can exploit this vulnerability to delete arbitrary posts on the affected WordPress site. This could lead to unauthorized data loss and disruption of website content.
What immediate steps should I take to mitigate this vulnerability?
The plugin 'Listar β Directory Listing & Classifieds' was closed on December 4, 2025, pending a full security review and is currently unavailable for download. Immediate mitigation steps include disabling or uninstalling the plugin to prevent exploitation, especially since the vulnerability allows authenticated users with Subscriber-level access to delete arbitrary posts. Monitoring WordPress debug logs for errors related to the plugin activation may also help identify issues. Await the release of a patched version before re-enabling the plugin. [1]