CVE-2025-12953 identifies a missing authorization vulnerability (CWE-862) in the Classified Listing – AI-Powered Classified ads & Business Directory Plugin for WordPress, affecting all versions up to and including 5.2.0. The vulnerability stems from the absence of capability checks in three AJAX functions: rtcl_ajax_add_listing_type, rtcl_ajax_update_listing_type, and rtcl_ajax_delete_listing_type. These functions handle the creation, modification, and deletion of listing types within the plugin. Due to the missing authorization, any authenticated user with subscriber-level privileges or higher can invoke these functions to manipulate listing types without proper permissions. This unauthorized modification can lead to data integrity issues, such as the insertion of malicious or misleading listings, or disruption of the directory structure. The vulnerability does not affect confidentiality or availability directly, as it does not expose sensitive data or cause denial of service. Exploitation requires authentication but no additional user interaction. The plugin is commonly used in WordPress environments for classified ads and business directories, making affected sites potentially vulnerable. No patches were linked at the time of disclosure, and no known exploits are reported in the wild. The CVSS v3.1 base score is 4.3, indicating medium severity, with an attack vector of network, low attack complexity, and privileges required at the low level (authenticated users).

The primary impact of CVE-2025-12953 is unauthorized modification of listing types within the affected WordPress plugin, which can undermine the integrity of data presented on websites using this plugin. Attackers with subscriber-level access can add, update, or delete listing types, potentially inserting misleading or malicious content, disrupting business directories, or damaging the reputation of the site. While confidentiality and availability are not directly impacted, the integrity compromise can lead to loss of trust by users and customers, and may facilitate further attacks such as phishing or fraud if malicious listings are introduced. Organizations relying heavily on this plugin for classified ads or business directories may face operational disruptions and reputational damage. Since exploitation requires authentication, the risk is limited to environments where attackers can obtain subscriber-level credentials, either through credential theft, weak password policies, or social engineering. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as the vulnerability is publicly disclosed.

To mitigate CVE-2025-12953, organizations should first verify if they use the Classified Listing – AI-Powered Classified ads & Business Directory Plugin and identify the version in use. If affected (version 5.2.0 or earlier), they should monitor the vendor's official channels for patches or updates addressing the missing authorization checks and apply them promptly once available. In the absence of an official patch, administrators can implement temporary mitigations such as restricting subscriber-level user capabilities to prevent access to the vulnerable AJAX functions, for example by customizing WordPress roles and capabilities or using security plugins to block unauthorized AJAX requests. Additionally, enforcing strong authentication mechanisms, including multi-factor authentication (MFA) for all users, can reduce the risk of credential compromise. Regularly auditing user accounts and privileges to ensure minimal necessary access is granted will also limit potential exploitation. Monitoring logs for unusual activity related to listing type modifications can help detect attempted exploitation. Finally, consider isolating or limiting plugin usage to trusted users only until a fix is applied.