CVE-2025-7711 is a code injection vulnerability classified under CWE-94 found in the Classified Listing – AI-Powered Classified ads & Business Directory Plugin for WordPress, maintained by techlabpro1. The flaw exists in all plugin versions up to and including 5.0.3, where the plugin improperly validates input before executing WordPress shortcodes via the do_shortcode function. Specifically, authenticated users with Subscriber-level privileges or above can supply crafted input that the plugin processes without sufficient sanitization or validation, enabling arbitrary shortcode execution. This can allow attackers to execute unintended code paths within the WordPress environment, potentially leading to unauthorized data access or modification. The vulnerability does not require user interaction and can be exploited remotely over the network with low complexity. However, it requires at least Subscriber-level authentication, which is a relatively low privilege level in WordPress, making exploitation feasible in many scenarios where user registration is open or compromised accounts exist. The CVSS v3.1 base score is 5.4, reflecting limited confidentiality and integrity impacts but no availability impact. No public exploits or active exploitation have been reported as of the publication date. The vulnerability highlights the risks of improper input validation in WordPress plugins that handle shortcode execution, a common attack vector in the WordPress ecosystem.

The primary impact of CVE-2025-7711 is on confidentiality and integrity within affected WordPress sites using the Classified Listing plugin. An attacker with Subscriber-level access can execute arbitrary shortcodes, potentially allowing them to run malicious code snippets or access sensitive data exposed via shortcode functionality. While this does not directly lead to full system compromise or denial of service, it can facilitate further attacks such as privilege escalation, data leakage, or unauthorized content manipulation. Organizations relying on this plugin for classified ads or business directories may face reputational damage, data breaches, or unauthorized content changes. The vulnerability is particularly concerning for sites that allow open user registration or have weak authentication controls, increasing the likelihood of attacker access at the Subscriber level. Since WordPress powers a significant portion of websites globally, the scope of affected systems is broad, especially among small to medium businesses and community platforms using this plugin. The absence of known exploits reduces immediate risk but does not eliminate the threat of future exploitation.

To mitigate CVE-2025-7711, organizations should immediately update the Classified Listing plugin to a patched version once available from the vendor. In the absence of a patch, administrators should restrict Subscriber-level user capabilities to prevent shortcode submission or execution, possibly by customizing user roles or employing security plugins that limit shortcode usage. Implementing strict input validation and sanitization on any user-submitted content that may be processed by do_shortcode is critical. Monitoring logs for unusual shortcode execution or unexpected content changes can help detect exploitation attempts. Additionally, enforcing strong authentication mechanisms, such as multi-factor authentication and limiting user registrations, reduces the risk of attacker access at Subscriber level. Regular security audits of WordPress plugins and adherence to the principle of least privilege for user roles will further reduce exposure. Finally, consider isolating critical WordPress instances or using web application firewalls (WAFs) that can detect and block suspicious shortcode execution patterns.