The vulnerability identified as CVE-2025-12882 affects the Clasifico Listing plugin for WordPress, developed by SmartDataSoft. This plugin allows users to register new accounts on WordPress sites, but due to improper privilege management (CWE-269), it permits unauthenticated attackers to specify the 'listing_user_role' parameter during registration. Because the plugin fails to validate or restrict this parameter, attackers can assign themselves elevated roles, including administrator privileges, upon account creation. This results in a direct privilege escalation without requiring any prior authentication or user interaction. The vulnerability impacts all versions up to and including 2.0 of the plugin. The CVSS 3.1 base score is 9.8, reflecting the critical nature of the flaw with network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and full impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Exploitation would allow attackers to fully compromise the affected WordPress site, including modifying content, installing malware, or stealing sensitive data. No official patches or mitigations have been published yet, and no known exploits are reported in the wild, but the vulnerability is straightforward to exploit. The root cause is the plugin's failure to enforce proper role assignment controls during user registration, violating the principle of least privilege and secure privilege management.

For European organizations, this vulnerability poses a severe risk, especially for those relying on WordPress sites with the Clasifico Listing plugin installed and user registration enabled. Successful exploitation grants attackers administrative control over the website, enabling them to manipulate content, access sensitive user data, deploy malware, or pivot to internal networks. This can lead to data breaches, reputational damage, regulatory non-compliance (e.g., GDPR violations), and operational disruptions. E-commerce platforms, service providers, and community portals using this plugin are particularly vulnerable. Given the critical severity and ease of exploitation, attackers could rapidly compromise multiple sites, potentially leading to widespread impact across sectors such as retail, finance, healthcare, and public services in Europe. The lack of authentication or user interaction requirements lowers the barrier for exploitation, increasing the likelihood of attacks. Additionally, compromised sites could be used to launch further attacks or distribute malicious content, amplifying the threat landscape.

Immediate mitigation steps include disabling user registration on affected WordPress sites using the Clasifico Listing plugin until a vendor patch is available. Administrators should audit existing user accounts for unauthorized administrator roles and remove any suspicious accounts. Implement strict input validation and sanitization to prevent manipulation of the 'listing_user_role' parameter. Employ web application firewalls (WAFs) with custom rules to detect and block requests attempting to set elevated roles during registration. Monitor logs for unusual registration activity or privilege escalations. Once the vendor releases a patch, apply it promptly and verify that role assignment controls are enforced correctly. Consider restricting plugin usage to trusted users or replacing it with alternative plugins that follow secure privilege management practices. Educate site administrators on secure configuration and the risks of improper role assignment. Regularly update WordPress core and plugins to minimize exposure to known vulnerabilities.