CVE-2025-12882

9.8 CRITICAL

Authentication Bypass

📋 TL;DR

The Clasifico Listing WordPress plugin allows unauthenticated attackers to register accounts with administrator privileges by manipulating the 'listing_user_role' parameter. This privilege escalation vulnerability affects all WordPress sites using Clasifico Listing plugin versions up to 2.0. Attackers can gain full control of vulnerable WordPress installations.

💻 Affected Systems

Products:

• Clasifico Listing WordPress Plugin

Versions: All versions up to and including 2.0

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires user registration to be enabled in WordPress settings.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

1. Review the CVE details at NVD
2. Check vendor security advisories for your specific version
3. Test if the vulnerability is exploitable in your environment
4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site takeover - attackers gain administrator access, can install backdoors, deface websites, steal data, or use the site for further attacks.

🟠

Likely Case

Attackers create administrator accounts, install malicious plugins/themes, modify content, or exfiltrate sensitive data.

🟢

If Mitigated

Limited impact if registration is disabled or proper user role validation is implemented.

🌐 Internet-Facing: HIGH - WordPress sites are typically internet-facing, and the exploit requires no authentication.

🏢 Internal Only: LOW - This primarily affects public-facing WordPress installations.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP POST request with manipulated role parameter. Public exploit details available in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 2.0 (check plugin repository for latest)

Vendor Advisory: https://themeforest.net/item/clasifico-classified-ads-wordpress-theme/33539482

Restart Required: No

Instructions:

1. Update Clasifico Listing plugin to latest version. 2. In WordPress admin, go to Plugins. 3. Find Clasifico Listing and click Update Now. 4. Verify update completes successfully.

🔧 Temporary Workarounds

Disable User Registration

all

Temporarily disable new user registration in WordPress settings

Copy

WordPress Admin → Settings → General → Uncheck 'Anyone can register'

Deactivate Plugin

all

Temporarily deactivate the vulnerable plugin

Copy

WordPress Admin → Plugins → Find Clasifico Listing → Deactivate

🧯 If You Can't Patch

• Disable user registration in WordPress settings immediately
• Implement web application firewall rules to block requests containing 'listing_user_role' parameter

🔍 How to Verify

Check if Vulnerable:

Copy

Check WordPress admin → Plugins → Clasifico Listing version. If version is 2.0 or lower, you are vulnerable.

Check Version:

Copy

WordPress Admin → Plugins → Clasifico Listing shows version number

Verify Fix Applied:

Copy

After updating, verify plugin version is above 2.0. Test user registration with role parameter to confirm it no longer works.

📡 Detection & Monitoring

Log Indicators:

• HTTP POST requests to registration endpoints with 'listing_user_role' parameter
• New user registrations with administrator role
• Multiple failed registration attempts

Network Indicators:

• POST requests to /wp-login.php?action=register with role parameters
• Traffic patterns showing new admin account creation

SIEM Query:

Copy

source="web_logs" AND (uri_path="/wp-login.php" OR uri_path="/wp-admin/admin-ajax.php") AND http_method="POST" AND (param="listing_user_role" OR user_role="administrator")

📊 Metadata

CVE ID: CVE-2025-12882

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: February 19, 2026

Last Updated: February 19, 2026

🔗 References

• https://themeforest.net/item/clasifico-classified-ads-wordpress-theme/33539482
• https://www.wordfence.com/threat-intel/vulnerabilities/id/70fb90f0-1ca4-41fe-8638-cdd05747adae?source=cve

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-12882, you might also want to check these:

CVE-2023-48419 10.0

This vulnerability allows an attacker within Wi-Fi range of a Google Home device to spy on the victi...

Same vulnerability type (CWE-269)

CVE-2025-20282 10.0

This critical vulnerability in Cisco ISE and ISE-PIC allows unauthenticated remote attackers to uplo...

Same vulnerability type (CWE-269)

CVE-2022-24783 10.0

This critical vulnerability in Deno runtime allows malicious code to bypass all permission checks an...

Same vulnerability type (CWE-269)