CVE-2025-10706
📋 TL;DR
The Classified Pro WordPress theme allows authenticated users with subscriber-level access or higher to install arbitrary plugins due to a missing capability check. This vulnerability could lead to remote code execution by installing malicious plugins. Sites using Classified Pro theme version 1.0.14 or earlier with the CubeWP Framework plugin are affected.
💻 Affected Systems
- Classified Pro WordPress Theme
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full control of the WordPress site through remote code execution, potentially compromising the entire server and exfiltrating sensitive data.
Likely Case
Attackers install malicious plugins to establish backdoors, deface websites, or deploy cryptocurrency miners.
If Mitigated
Attackers can only install plugins but cannot execute them due to proper security controls, limiting impact to plugin management disruption.
🎯 Exploit Status
Exploitation requires authenticated access (subscriber or higher) and knowledge of the vulnerable function.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.15 or later
Vendor Advisory: https://themeforest.net/item/classifiedpro-recommerce-classified-wordpress-theme/44528010
Restart Required: No
Instructions:
1. Update Classified Pro theme to version 1.0.15 or later via WordPress admin panel. 2. Verify CubeWP Framework plugin is also updated if available. 3. Clear WordPress cache after update.
🔧 Temporary Workarounds
Remove vulnerable theme
allTemporarily switch to default WordPress theme until patch is applied
wp theme activate twentytwentyfour
Restrict user capabilities
allRemove plugin installation capabilities from subscriber and other non-admin roles
wp role reset subscriber
wp cap remove subscriber install_plugins
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests to the vulnerable 'cwp_addons_update_plugin_cb' function
- Monitor for unauthorized plugin installations and review installed plugins regularly
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel for Classified Pro theme version. If version is 1.0.14 or earlier and CubeWP Framework plugin is installed, the system is vulnerable.Check Version:
wp theme list --name=classified-pro --field=versionVerify Fix Applied:
Verify theme version is 1.0.15 or later in WordPress admin panel under Appearance > Themes.📡 Detection & Monitoring
Log Indicators:
- POST requests to admin-ajax.php with action 'cwp_addons_update_plugin_cb'
- Unexpected plugin installation events in WordPress logs
- New plugin directories created without admin action
Network Indicators:
- HTTP requests to /wp-admin/admin-ajax.php with plugin installation parameters from non-admin users
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "cwp_addons_update_plugin_cb"