CVE-2025-7711
📋 TL;DR
This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to execute arbitrary shortcodes through the Classified Listing plugin. Attackers can potentially inject malicious code that runs with WordPress privileges, affecting all sites running vulnerable plugin versions up to 5.0.3.
💻 Affected Systems
- Classified Listing – Classified ads & Business Directory Plugin for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could execute arbitrary PHP code, leading to complete site compromise, data theft, or malware installation.
Likely Case
Attackers inject malicious shortcodes to deface sites, redirect visitors, or steal session cookies.
If Mitigated
With proper access controls and monitoring, impact limited to authenticated user privilege escalation.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.0.4 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/classified-listing/tags/5.0.4
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Classified Listing' plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 5.0.4+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate Classified Listing plugin until patched
wp plugin deactivate classified-listing
Restrict user registration
allDisable new user registration to prevent attacker account creation
Settings → General → Membership: Uncheck 'Anyone can register'
🧯 If You Can't Patch
- Implement strict access controls and monitor Subscriber-level accounts for suspicious activity.
- Use web application firewall (WAF) rules to block suspicious shortcode execution patterns.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Classified Listing version. If version ≤5.0.3, vulnerable.Check Version:
wp plugin get classified-listing --field=versionVerify Fix Applied:
Confirm plugin version is 5.0.4 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual shortcode execution in WordPress debug logs
- Multiple failed login attempts followed by successful Subscriber login
Network Indicators:
- HTTP POST requests to wp-admin/admin-ajax.php with suspicious shortcode parameters
SIEM Query:
source="wordpress.log" AND "do_shortcode" AND ("classified-listing" OR "rtcl")