Overview
CVE-2025-12574 is a security vulnerability affecting the Listar – Directory Listing & Classifieds WordPress plugin. This vulnerability allows authenticated attackers with even Subscriber-level access to delete arbitrary posts due to a missing capability check on a specific REST API endpoint. All versions of the plugin up to and including 3.0.0 are affected.
Technical Details
The vulnerability lies in the /wp-json/listar/v1/place/delete REST API endpoint. This endpoint, intended for deleting listings, lacks proper authorization checks. An attacker with Subscriber-level access can craft a request to this endpoint, specifying the ID of any post on the WordPress site, and successfully delete it. The absence of a capability check means that the plugin doesn’t verify if the user has the necessary permissions (e.g., delete_posts or delete_others_posts) before allowing the deletion.
CVSS Analysis
- CVSS Score: 4.3 (Medium)
- Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
- Explanation: This score indicates a moderate level of risk. While the attacker needs to be authenticated (Access Vector: Network, Access Complexity: Low, Privileges Required: Low, User Interaction: None, Scope: Unchanged), the impact is limited to modifying data (Integrity Impact: Low). There is no impact to confidentiality (Confidentiality Impact: None) or availability (Availability Impact: None). The attacker can delete posts, but this doesn’t compromise the entire system.
Possible Impact
Successful exploitation of this vulnerability can lead to several negative consequences:
- Data Loss: Important posts and listings can be deleted, resulting in data loss for website owners.
- Service Disruption: The removal of critical content can disrupt the website’s functionality and user experience.
- Reputational Damage: Malicious actors could delete posts to deface the website or spread misinformation.
Mitigation and Patch Steps
The best course of action to mitigate this vulnerability is to update the Listar plugin to a version higher than 3.0.0, if a patched version is available. The vendor should release a security update that includes the necessary capability check on the vulnerable REST API endpoint. If an update is not yet available, consider the following (temporary) measures, although these are not ideal:
- Disable the Plugin: Temporarily disable the Listar plugin until a patched version is released. This will prevent exploitation of the vulnerability.
- Restrict Subscriber Access: Limit the capabilities of Subscriber-level users as much as possible. While it won’t directly fix the vulnerability, it may reduce the potential damage.