CVE-2025-12574 identifies a missing authorization vulnerability (CWE-862) in the Listar – Directory Listing & Classifieds WordPress plugin, affecting all versions up to 3.0.0. The vulnerability arises from the lack of a capability check on the REST API endpoint '/wp-json/listar/v1/place/delete'. This endpoint is intended to allow authorized users to delete listings or posts; however, due to the missing authorization, any authenticated user with Subscriber-level privileges or higher can invoke this endpoint to delete arbitrary posts without proper permission. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network (AV:N). The CVSS 3.1 base score is 4.3 (medium severity), reflecting the limited impact on confidentiality and availability but a clear impact on integrity. The scope remains unchanged (S:U), meaning the vulnerability affects only the plugin's resources and not other system components. No known exploits are currently in the wild, and no patches have been published as of the vulnerability disclosure date. The flaw could be leveraged by malicious insiders or compromised low-privilege accounts to disrupt content integrity on affected WordPress sites, potentially damaging business reputation or user trust.

For European organizations, this vulnerability poses a risk primarily to the integrity of website content managed via the Listar plugin. Unauthorized deletion of posts can lead to loss of critical business information, disruption of services relying on directory listings or classifieds, and potential reputational damage. Although the vulnerability does not directly expose sensitive data or cause denial of service, the ability for low-privilege users to delete content could be exploited by disgruntled employees or attackers who have gained subscriber-level access through phishing or credential compromise. This could affect e-commerce platforms, local business directories, or community portals that rely on the plugin for content management. The impact is more pronounced for organizations with large user bases or those that rely heavily on user-generated content. Additionally, the lack of patches means organizations must rely on interim controls to mitigate risk until an official fix is available.

European organizations should implement the following specific mitigations: 1) Immediately audit user roles and permissions on WordPress sites using the Listar plugin to ensure that only trusted users have Subscriber-level or higher access. 2) Restrict access to the vulnerable REST API endpoint by implementing web application firewall (WAF) rules that block or monitor requests to '/wp-json/listar/v1/place/delete' from untrusted or low-privilege users. 3) Employ WordPress security plugins that can enforce additional capability checks or disable REST API endpoints selectively. 4) Monitor logs for unusual deletion activity or repeated access attempts to the vulnerable endpoint. 5) Engage with the plugin vendor or community to track patch releases and apply updates promptly once available. 6) Consider temporarily disabling the Listar plugin if the risk is unacceptable and no immediate patch is available. 7) Educate users on phishing and credential security to reduce the risk of account compromise that could enable exploitation.