CVE-2025-1063 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting the WordPress plugin 'Classified Listing – Classified ads & Business Directory' developed by techlabpro1. The flaw exists in all versions up to and including 4.0.4 within the rtcl_taxonomy_settings_export function. This function improperly exposes sensitive configuration data, including API keys and tokens, without requiring authentication or user interaction. An attacker can remotely invoke this function to retrieve sensitive information, potentially enabling further attacks such as unauthorized API access or privilege escalation. The vulnerability is network exploitable with low attack complexity and no privileges required, making it accessible to a wide range of attackers. Although no integrity or availability impacts are reported, the confidentiality breach can have serious consequences. The vulnerability was published on February 25, 2025, with a CVSS v3.1 base score of 5.3 (medium severity). No patches or known exploits have been reported yet, but the exposure of sensitive credentials necessitates prompt remediation. The plugin is widely used in WordPress sites that provide classified ads and business directory services, making it a notable risk vector in such environments.

The primary impact of CVE-2025-1063 is the unauthorized disclosure of sensitive information, specifically API keys and tokens, which can be leveraged by attackers to gain unauthorized access to backend services or third-party integrations. This exposure can lead to further compromise of the affected organization's infrastructure, data breaches, or fraudulent activities. Since the vulnerability does not require authentication or user interaction, it can be exploited by remote attackers at scale, increasing the risk of widespread data leakage. Organizations relying on this plugin for classified ads or business directories may face reputational damage, regulatory compliance issues, and financial losses if attackers misuse the exposed credentials. The lack of impact on integrity and availability limits direct service disruption but does not diminish the seriousness of the confidentiality breach. The absence of known exploits in the wild currently reduces immediate risk but does not preclude future exploitation attempts.

1. Immediate upgrade: Organizations should update the 'Classified Listing – Classified ads & Business Directory' plugin to a patched version once available from the vendor. 2. Temporary access controls: Until a patch is released, restrict access to the rtcl_taxonomy_settings_export function by implementing web application firewall (WAF) rules to block unauthenticated requests targeting this endpoint. 3. Credential rotation: Rotate all API keys and tokens that may have been exposed to invalidate compromised credentials. 4. Monitor logs: Enable detailed logging and monitor for unusual access patterns or repeated requests to the vulnerable function. 5. Principle of least privilege: Limit the permissions associated with exposed API keys to minimize potential damage. 6. Plugin alternatives: Consider replacing the vulnerable plugin with a more secure alternative if timely patching is not feasible. 7. Security testing: Conduct regular vulnerability assessments and penetration testing on WordPress sites to detect similar issues proactively.