CVE-2025-9874
📋 TL;DR
The Ultimate Classified Listings WordPress plugin has a Local File Inclusion vulnerability that allows authenticated attackers with Contributor-level access or higher to include and execute arbitrary PHP files on the server. This can lead to remote code execution, data theft, or privilege escalation. All WordPress sites using this plugin version 1.6 or earlier are affected.
💻 Affected Systems
- Ultimate Classified Listings WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise through remote code execution, leading to data exfiltration, ransomware deployment, or complete site takeover.
Likely Case
Unauthorized file access leading to sensitive data exposure, privilege escalation to administrator, or backdoor installation.
If Mitigated
Limited impact if proper file upload restrictions and server hardening are in place, but still potential for data leakage.
🎯 Exploit Status
Exploitation requires Contributor-level access; attackers may use social engineering or compromised accounts to gain initial access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/ultimate-classified-listings/trunk/classes/class-shortcodes.php#L49
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Ultimate Classified Listings. 4. Click 'Update Now' if available. 5. If no update appears, manually download version 1.7+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Disable vulnerable shortcode
allRemove or disable the 'uclwp_dashboard' shortcode functionality
Edit wp-content/plugins/ultimate-classified-listings/classes/class-shortcodes.php and comment out or remove the vulnerable shortcode registration
Restrict file uploads
allPrevent PHP file uploads through WordPress
Add to wp-config.php: define('ALLOW_UNFILTERED_UPLOADS', false);
🧯 If You Can't Patch
- Temporarily deactivate the Ultimate Classified Listings plugin
- Implement strict file upload restrictions and disable PHP execution in upload directories
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Ultimate Classified Listings version numberCheck Version:
wp plugin list --name='ultimate-classified-listings' --field=versionVerify Fix Applied:
Verify plugin version is 1.7 or higher and test shortcode functionality📡 Detection & Monitoring
Log Indicators:
- Unusual file inclusion attempts in web server logs
- Multiple failed authentication attempts followed by successful Contributor login
- POST requests containing 'uclwp_dashboard' parameter with file paths
Network Indicators:
- Unusual outbound connections from web server after file inclusion requests
SIEM Query:
source="web_server" AND (uri="*uclwp_dashboard*" OR uri="*include*" OR uri="*require*")