CVE-2025-12577 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Listar – Directory Listing & Classifieds WordPress plugin developed by passionui. The issue stems from the absence of a proper capability check on the REST API endpoint '/wp-json/listar/v1/place/save', which is responsible for saving or updating listing details. This flaw allows any authenticated user with at least Subscriber-level privileges to modify listing data without further authorization validation. Since WordPress Subscriber roles are typically assigned to minimally privileged users, this vulnerability significantly lowers the barrier for unauthorized data modification. The vulnerability affects all versions up to and including 3.0.0 of the plugin. The CVSS v3.1 base score is 4.3 (medium severity), with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, indicating network exploitability with low attack complexity, requiring privileges but no user interaction, and impacting only data integrity. There are no known public exploits or patches at the time of publication. The vulnerability could be exploited remotely via the REST API, which is enabled by default in WordPress, making it accessible over the internet. Attackers could alter listing information, potentially misleading users or damaging business reputations. The lack of a patch necessitates interim mitigations such as restricting access to the REST endpoint or disabling the plugin. This vulnerability highlights the importance of enforcing strict authorization checks on all API endpoints, especially those exposed publicly.

For European organizations, especially those operating WordPress-based directory or classifieds websites using the Listar plugin, this vulnerability poses a risk to data integrity. Unauthorized modification of listing details could lead to misinformation, reputational damage, and loss of user trust. In sectors such as real estate, local business directories, or classifieds marketplaces, manipulated listings could result in financial losses or legal liabilities. Since the vulnerability requires only Subscriber-level authentication, attackers could leverage compromised or created low-privilege accounts to exploit the flaw. The impact is primarily on data integrity, with no direct confidentiality or availability effects. However, altered listings could indirectly affect business operations and customer relationships. Organizations relying on this plugin without proper access controls or monitoring are at higher risk. The absence of known exploits reduces immediate threat but does not eliminate the risk of future attacks. Given the widespread use of WordPress in Europe, the vulnerability could affect a broad range of small to medium enterprises and niche marketplaces.

1. Immediately audit and restrict access to the '/wp-json/listar/v1/place/save' REST API endpoint using web application firewalls or custom server rules to allow only trusted roles or IP addresses. 2. Implement custom capability checks or hooks in WordPress to enforce stricter authorization on this endpoint until an official patch is released. 3. Disable or deactivate the Listar plugin if it is not essential or if no timely patch is available. 4. Monitor WordPress user accounts for suspicious Subscriber-level account creation or activity to detect potential exploitation attempts. 5. Keep WordPress core and all plugins updated and subscribe to vendor security advisories for timely patch deployment. 6. Employ logging and alerting on REST API calls to detect anomalous modification attempts. 7. Educate site administrators on the risks of granting unnecessary user privileges and enforce the principle of least privilege. 8. Consider isolating critical WordPress instances behind VPNs or internal networks to reduce exposure of REST endpoints. These steps go beyond generic advice by focusing on targeted access control, monitoring, and temporary plugin management.