CVE-2025-12953 is a vulnerability identified in the 'Classified Listing – AI-Powered Classified ads & Business Directory' WordPress plugin developed by techlabpro1. The flaw stems from missing authorization (CWE-862) in three AJAX functions: 'rtcl_ajax_add_listing_type', 'rtcl_ajax_update_listing_type', and 'rtcl_ajax_delete_listing_type'. These functions lack proper capability checks, allowing any authenticated user with subscriber-level access or above to perform unauthorized modifications to listing types, including adding, updating, or deleting them. Since WordPress subscriber roles typically have minimal privileges, this vulnerability significantly elevates their ability to alter plugin data without administrative consent. The vulnerability affects all versions up to and including 5.2.0 of the plugin. The CVSS v3.1 base score is 4.3 (medium), reflecting network attack vector, low attack complexity, requiring privileges, no user interaction, unchanged scope, no confidentiality impact, limited integrity impact, and no availability impact. No patches or exploit code are currently publicly available, and no known exploits in the wild have been reported. The vulnerability primarily threatens data integrity by allowing unauthorized content manipulation, which could undermine the trustworthiness of classified listings or business directories hosted on affected WordPress sites.

For European organizations, especially small and medium enterprises (SMEs) and online marketplaces relying on WordPress with this plugin, the vulnerability poses a risk of unauthorized modification of classified listings or business directory data. This can lead to misinformation, fraudulent listings, reputational damage, and potential legal liabilities if manipulated content misleads customers or violates regulations. Although the vulnerability does not directly compromise confidentiality or availability, the integrity breach can indirectly affect business operations and user trust. Attackers with subscriber-level access could exploit this flaw to insert malicious or misleading listings, potentially facilitating scams or phishing campaigns. The impact is more pronounced in sectors where classified ads or business directories are critical, such as real estate, automotive sales, or local services. Since exploitation requires authentication, organizations with weak user registration controls or exposed subscriber accounts are at higher risk.

1. Monitor for and apply official patches or updates from techlabpro1 as soon as they become available to address the missing authorization checks. 2. Until patches are released, restrict subscriber-level user registrations or disable the plugin’s listing type management features if not essential. 3. Implement custom capability checks or use WordPress hooks to enforce stricter authorization on the affected AJAX functions. 4. Audit existing subscriber accounts and remove or upgrade unnecessary accounts to minimize the attack surface. 5. Employ web application firewalls (WAFs) with rules to detect and block unauthorized AJAX requests targeting these functions. 6. Regularly review and monitor classified listing data for unauthorized changes or anomalies. 7. Educate administrators and users about the risk of privilege escalation and encourage strong authentication practices. 8. Consider isolating critical business directory data or migrating to alternative plugins with better security track records if timely patching is not feasible.