CVE-2025-12574
📋 TL;DR
This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to delete arbitrary posts through a REST API endpoint. It affects all WordPress sites using the Listar plugin up to version 3.0.0. The issue stems from missing authorization checks on the delete endpoint.
💻 Affected Systems
- Listar – Directory Listing & Classifieds WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Malicious authenticated users could delete all posts, pages, and custom post types, causing complete content loss and site disruption.
Likely Case
Disgruntled users or compromised accounts deleting specific posts to cause content loss or business disruption.
If Mitigated
Minimal impact if proper user access controls and monitoring are in place to detect unauthorized deletions.
🎯 Exploit Status
Exploitation requires authenticated access but is simple via REST API calls. No special tools needed beyond basic HTTP requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.0.1 or later
Vendor Advisory: https://wordpress.org/plugins/listar-directory-listing/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Listar – Directory Listing & Classifieds'. 4. Click 'Update Now' if available. 5. If no update appears, manually download version 3.0.1+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Disable vulnerable REST endpoint
allRemove or block access to the vulnerable API endpoint using WordPress hooks or web server configuration.
Add to theme's functions.php: remove_action('rest_api_init', 'listar_register_rest_routes');
Restrict user roles
allTemporarily limit user accounts to only trusted administrators until patch is applied.
🧯 If You Can't Patch
- Implement strict user access controls and review all user accounts with Subscriber+ roles.
- Enable comprehensive logging and monitoring of POST/DELETE requests to /wp-json/listar/v1/place/delete endpoint.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Listar plugin version. If version is 3.0.0 or lower, you are vulnerable.Check Version:
wp plugin list --name=listar-directory-listing --field=versionVerify Fix Applied:
After updating, verify plugin version shows 3.0.1 or higher. Test authenticated delete requests should return proper authorization errors.📡 Detection & Monitoring
Log Indicators:
- HTTP 200 responses to DELETE /wp-json/listar/v1/place/delete from non-admin users
- Unusual post deletion activity in WordPress logs
Network Indicators:
- DELETE requests to /wp-json/listar/v1/place/delete endpoint from unexpected IPs
SIEM Query:
http.method="DELETE" AND http.uri="/wp-json/listar/v1/place/delete" AND NOT user.role="administrator"