CVE-2025-12574 identifies a missing authorization vulnerability (CWE-862) in the Listar – Directory Listing & Classifieds WordPress Plugin, versions up to and including 3.0.0. The vulnerability exists because the REST API endpoint '/wp-json/listar/v1/place/delete' does not perform proper capability checks before allowing deletion of posts. This flaw allows any authenticated user with at least Subscriber-level privileges to delete arbitrary posts, bypassing intended access controls. The vulnerability does not require user interaction and can be exploited remotely over the network. The CVSS 3.1 base score is 4.3 (medium), reflecting low complexity and no impact on confidentiality or availability, but a loss of integrity due to unauthorized data deletion. No patches or exploits are currently publicly available, but the vulnerability is publicly disclosed and assigned by Wordfence. The plugin is used for directory listing and classifieds on WordPress sites, making affected sites vulnerable to content tampering and potential disruption of business operations relying on accurate listings.

The primary impact of this vulnerability is unauthorized modification of website content through deletion of posts, which compromises data integrity. For organizations relying on the Listar plugin for directory listings or classified ads, this could lead to loss of critical business data, disruption of services, and damage to reputation. Although the vulnerability does not allow data disclosure or denial of service, the ability for low-privileged users to delete content can be exploited for sabotage or to manipulate listings. This could affect e-commerce, real estate, job boards, or community platforms using the plugin. The impact is amplified in environments where many users have Subscriber or higher roles, increasing the attack surface. Recovery from unauthorized deletions may require significant administrative effort and could result in downtime or loss of user trust.

To mitigate this vulnerability, organizations should immediately restrict access to the vulnerable REST API endpoint by implementing custom authorization checks or disabling the endpoint if not required. Updating the plugin to a patched version once available is the most effective solution. Until a patch is released, administrators can limit Subscriber-level user capabilities or reduce the number of users with such roles. Employing Web Application Firewalls (WAFs) to block unauthorized REST API calls targeting '/wp-json/listar/v1/place/delete' can provide temporary protection. Regular backups of website content should be maintained to enable recovery from unauthorized deletions. Monitoring logs for suspicious API activity and auditing user roles can help detect exploitation attempts early. Additionally, educating site administrators about the risk and encouraging minimal privilege principles will reduce exposure.