CVE-2025-1063 – The Classified Listing WordPress plugin has an ... (How to Fix)

Q: What is the severity of CVE-2025-1063?

CVE-2025-1063 has a CVSS score of 5.3 (MEDIUM). The Classified Listing WordPress plugin has an information disclosure vulnerability that allows unauthenticated attackers to extract sensitive data like API keys and tokens. This affects all WordPress sites using plugin versions up to 4.0.4. Attackers can exploit this without any authentication.

📋 TL;DR

The Classified Listing WordPress plugin has an information disclosure vulnerability that allows unauthenticated attackers to extract sensitive data like API keys and tokens. This affects all WordPress sites using plugin versions up to 4.0.4. Attackers can exploit this without any authentication.

💻 Affected Systems

Products:

Classified Listing – Classified ads & Business Directory Plugin for WordPress

Versions: All versions up to and including 4.0.4

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: All WordPress installations with vulnerable plugin versions are affected regardless of configuration.

📦 What is this software?

Classified Listing by Radiustheme

View all CVEs affecting Classified Listing →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal API keys and tokens, leading to unauthorized access to integrated services, data breaches, and potential account takeovers.

🟠

Likely Case

Attackers harvest API keys and tokens to abuse connected services, potentially incurring costs or accessing sensitive data.

🟢

If Mitigated

With proper network segmentation and API key monitoring, impact is limited to exposed keys requiring rotation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires simple HTTP requests to vulnerable endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.0.5 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3241883/classified-listing

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Classified Listing' plugin. 4. Click 'Update Now' if update available. 5. If no update appears, manually download version 4.0.5+ from WordPress.org and replace plugin files.

🔧 Temporary Workarounds

Disable vulnerable endpoint via .htaccess

all

Block access to the vulnerable rtcl_taxonomy_settings_export function

# Add to .htaccess in WordPress root directory
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} rtcl_taxonomy_settings_export [NC]
RewriteRule .* - [F,L]
</IfModule>

🧯 If You Can't Patch

Immediately disable the Classified Listing plugin if not essential.
Implement WAF rules to block requests containing 'rtcl_taxonomy_settings_export' in query parameters.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Classified Listing version. If version is 4.0.4 or lower, system is vulnerable.

Check Version:

wp plugin list --name='classified-listing' --field=version

Verify Fix Applied:

Confirm plugin version is 4.0.5 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

HTTP requests containing 'rtcl_taxonomy_settings_export' in query string
Unusual access to wp-admin/admin-ajax.php with rtcl parameters

Network Indicators:

Outbound connections to API services using newly exposed keys
Unusual traffic patterns to plugin endpoints

SIEM Query:

source="web_logs" AND uri_query="*rtcl_taxonomy_settings_export*"

📊 Metadata

CVE ID: CVE-2025-1063

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-200

EPSS Score: 0.28% exploit probability (51.1th percentile)

Published: February 25, 2025

Last Updated: February 28, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-1063, you might also want to check these: