CVE-2025-12953 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Classified Listing – AI-Powered Classified ads & Business Directory Plugin for WordPress, developed by techlabpro1. The issue arises because the plugin fails to perform proper capability checks on three critical AJAX functions: rtcl_ajax_add_listing_type, rtcl_ajax_update_listing_type, and rtcl_ajax_delete_listing_type. These functions are responsible for adding, updating, and deleting listing types within the plugin's classified ads and business directory system. Due to the missing authorization, any authenticated user with subscriber-level privileges or higher can invoke these AJAX endpoints to manipulate listing types without having the necessary administrative rights. This vulnerability affects all versions up to and including 5.2.0. The CVSS v3.1 score is 4.3 (medium severity), reflecting that the attack vector is network-based (remote), requires low attack complexity, and low privileges (authenticated user), but does not impact confidentiality or availability, only integrity. No user interaction is needed beyond authentication. There are no known exploits in the wild, and no patches have been published at the time of disclosure. The vulnerability could allow attackers to alter the structure or categorization of listings, potentially misleading users or damaging the reliability of the directory data. This could be leveraged for further social engineering or to degrade trust in the platform.

For European organizations using WordPress sites with the Classified Listing plugin, this vulnerability poses a risk to data integrity within their classified ads or business directory services. Unauthorized modification of listing types could lead to misinformation, misclassification, or fraudulent listings, which can damage brand reputation and user trust. While it does not directly compromise sensitive data confidentiality or site availability, the integrity loss can have downstream effects such as enabling scams or misleading customers. Organizations in sectors relying heavily on classified ads or business directories (e.g., real estate, automotive, local services) may face operational disruptions or customer dissatisfaction. Additionally, regulatory compliance under GDPR could be implicated if manipulated listings lead to misleading or false information affecting consumers. The requirement for authenticated access limits exposure but does not eliminate risk, especially if subscriber accounts are easy to obtain or compromised.

1. Immediately restrict subscriber-level user capabilities to prevent unauthorized access to plugin AJAX endpoints by implementing custom capability checks or role restrictions at the WordPress level. 2. Monitor and audit user activity related to listing type modifications to detect suspicious behavior early. 3. Apply web application firewall (WAF) rules to detect and block unauthorized AJAX requests targeting the vulnerable functions. 4. Until an official patch is released, consider disabling or removing the Classified Listing plugin if it is not essential. 5. Educate administrators to enforce strong authentication and limit subscriber account creation to trusted users only. 6. Regularly check for plugin updates and apply patches promptly once available. 7. Review and harden WordPress user roles and permissions to minimize privilege escalation risks. 8. Implement logging and alerting on changes to listing types to enable rapid incident response.