CVE-2025-10706 is a critical authorization vulnerability identified in the ClassifiedPro - reCommerce WordPress theme developed by Cridio Studio. The root cause is a missing capability check in the 'cwp_addons_update_plugin_cb' function, which is responsible for handling plugin installation or updates within the theme's ecosystem. This flaw allows any authenticated user with subscriber-level permissions or higher to bypass intended restrictions and install arbitrary plugins on the WordPress site. Since WordPress plugins can execute PHP code, this unauthorized plugin installation can lead to remote code execution (RCE), enabling attackers to take full control of the affected server. The vulnerability affects all versions of the theme up to and including 1.0.14. Exploitation does not require user interaction and leverages a nonce mechanism provided by the CubeWP Framework plugin, which is part of the theme's dependencies. The CVSS v3.1 score is 8.8 (high), reflecting the network attack vector, low attack complexity, and the significant impact on confidentiality, integrity, and availability. Although no active exploits have been reported, the ease of exploitation and the potential for complete site compromise make this a critical threat for WordPress sites using this theme.

The impact of CVE-2025-10706 is severe for organizations running WordPress sites with the ClassifiedPro theme. Unauthorized plugin installation can lead to remote code execution, allowing attackers to execute arbitrary code, steal sensitive data, modify site content, or disrupt services. This can result in data breaches, website defacement, malware distribution, or use of the compromised server as a pivot point for further attacks within an organization's network. Since the vulnerability requires only subscriber-level authentication, attackers can exploit compromised or weak user credentials easily. The widespread use of WordPress and the popularity of the ClassifiedPro theme in e-commerce and classified ad websites increase the potential attack surface globally. Organizations may face reputational damage, financial losses, and regulatory penalties if exploited. The lack of a patch at the time of disclosure further elevates the risk until mitigations are applied.

1. Immediate mitigation involves restricting subscriber-level users from accessing plugin installation or update functionalities by customizing user roles and capabilities within WordPress. 2. Disable or remove the ClassifiedPro theme if not essential or replace it with a secure alternative until a patch is available. 3. Monitor user accounts for suspicious activity, especially those with subscriber or higher privileges, and enforce strong authentication mechanisms such as multi-factor authentication (MFA). 4. Limit plugin installation permissions strictly to trusted administrators. 5. Regularly audit installed plugins and themes for unauthorized additions or modifications. 6. Employ web application firewalls (WAFs) with custom rules to detect and block attempts to exploit the vulnerable function. 7. Keep the CubeWP Framework plugin updated, as it provides the nonce mechanism involved in the vulnerability; monitor vendor advisories for patches. 8. Implement network segmentation and least privilege principles to minimize the impact of potential compromises. 9. Backup website data frequently to enable quick recovery in case of exploitation.