CVE-2025-12574 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the Listar – Directory Listing & Classifieds WordPress plugin developed by passionui. The issue arises from the absence of proper capability checks on the REST API endpoint '/wp-json/listar/v1/place/delete', which is responsible for deleting posts. This flaw allows any authenticated user with Subscriber-level privileges or higher to invoke this endpoint and delete arbitrary posts without proper authorization. Since WordPress Subscriber roles typically have minimal permissions, this vulnerability significantly elevates the risk by enabling low-privilege users to perform unauthorized destructive actions. The vulnerability affects all versions up to and including 3.0.0 of the plugin. The CVSS 3.1 base score is 4.3 (medium severity), with an attack vector of network, low attack complexity, requiring privileges, no user interaction, and impacting integrity only. There are no known public exploits or patches available at the time of publication. The vulnerability does not affect confidentiality or availability but compromises data integrity by allowing unauthorized deletion of content. This can disrupt business operations, especially for websites relying on directory listings or classified ads for revenue or user engagement. The vulnerability was reserved on 2025-10-31 and published on 2025-12-06 by Wordfence.

For European organizations, this vulnerability poses a risk primarily to the integrity of website content managed via the Listar plugin. Unauthorized deletion of posts can lead to loss of critical business data, disruption of services, and damage to reputation. Organizations using this plugin for commercial directory listings or classifieds may experience operational interruptions and customer dissatisfaction. Although the vulnerability does not directly expose sensitive data or cause denial of service, the ability for low-privilege users to delete content could be exploited for sabotage or competitive advantage. The impact is more pronounced for organizations with multiple users having Subscriber-level access, such as community-driven platforms or multi-user editorial sites. Recovery from such attacks may require restoring data from backups, incurring downtime and resource costs. Additionally, regulatory compliance issues could arise if data integrity is compromised, especially under GDPR mandates for data protection and availability.

Since no official patch is currently available, European organizations should implement immediate compensating controls. These include restricting Subscriber-level access strictly to trusted users and auditing user roles to minimize unnecessary privileges. Implement web application firewall (WAF) rules to monitor and block unauthorized REST API calls to '/wp-json/listar/v1/place/delete'. Disable or restrict REST API access for unauthenticated or low-privilege users if feasible. Regularly back up website content to enable quick restoration in case of unauthorized deletions. Monitor logs for suspicious API activity and unusual deletion patterns. Engage with the plugin vendor or community to track patch releases and apply updates promptly once available. Consider temporarily disabling the Listar plugin if the risk outweighs operational needs until a fix is deployed. Employ security plugins that enhance WordPress authorization checks and REST API protections. Finally, educate site administrators and users about the risks of privilege escalation and the importance of role management.