CVE-2025-12577: Critical Vulnerability in Listar WordPress Plugin Allows Unauthorized Listing Modification

Overview

A medium-severity vulnerability, identified as CVE-2025-12577, has been discovered in the Listar – Directory Listing & Classifieds WordPress Plugin. This flaw allows authenticated attackers with Subscriber-level access or higher to modify listing details without proper authorization. This can lead to data manipulation, potential defacement, and other malicious activities.

Technical Details

The vulnerability exists due to a missing capability check on the /wp-json/listar/v1/place/save REST API endpoint. In versions up to and including 3.0.0 of the Listar plugin, any authenticated user, even with the basic Subscriber role, can send requests to this endpoint with modified listing data. The absence of proper permission validation means the plugin incorrectly processes these requests, allowing the unauthorized user to alter listings managed by other users or administrators.

CVSS Analysis

The Common Vulnerability Scoring System (CVSS) score for CVE-2025-12577 is 4.3 (Medium).

• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Privileges Required (PR): Low (L)
• User Interaction (UI): None (N)
• Scope (S): Unchanged (U)
• Confidentiality Impact (C): None (N)
• Integrity Impact (I): Low (L)
• Availability Impact (A): None (N)

While the CVSS score is moderate, the ease of exploitation and potential impact on data integrity make this a significant concern for websites using the Listar plugin.

Possible Impact

Successful exploitation of this vulnerability can lead to:

• Data Manipulation: Attackers can modify listing details, potentially inserting malicious content or changing crucial information.
• Defacement: Listings could be defaced with inappropriate or harmful content, damaging the website’s reputation.
• Phishing: Modified listings could be used to redirect users to phishing sites or distribute malware.
• Business Disruption: Incorrect or malicious listing data can lead to confusion and disrupt business operations.

Mitigation or Patch Steps

The most effective way to mitigate this vulnerability is to update the Listar – Directory Listing & Classifieds WordPress Plugin to the latest version. Check the WordPress plugin repository or the plugin’s settings within your WordPress dashboard for available updates.

If an update is not yet available, consider temporarily disabling the plugin until a patched version is released.

References

• WordPress Plugin Page: https://wordpress.org/plugins/listar-directory-listing/
• Wordfence Threat Intelligence: https://www.wordfence.com/threat-intel/vulnerabilities/id/a063fab3-6d52-4f2a-b51f-b76fa2d4711c?source=cve