CVE-2025-7711 is a code injection vulnerability categorized under CWE-94, found in the Classified Listing – AI-Powered Classified ads & Business Directory Plugin for WordPress developed by techlabpro1. The flaw arises because the plugin improperly validates input before executing the WordPress function do_shortcode, which processes shortcodes embedded in content. This improper validation allows authenticated users with Subscriber-level privileges or higher to inject and execute arbitrary shortcodes. Since shortcodes can trigger PHP code execution or invoke other plugin functionalities, this can lead to unauthorized actions within the WordPress site context. The vulnerability affects all versions up to and including 5.0.3. The CVSS 3.1 base score is 5.4 (medium severity), reflecting that the attack vector is network-based, requires low attack complexity, and privileges at the level of a logged-in user, but does not require user interaction. The impact primarily affects confidentiality and integrity, with no direct availability impact. No public exploits have been reported yet, but the vulnerability could be leveraged to escalate privileges or manipulate site content. The vulnerability was reserved in July 2025 and published in November 2025, indicating recent discovery and disclosure. The plugin is commonly used for classified ads and business directory functionalities on WordPress sites, which are popular among small and medium enterprises.

For European organizations, this vulnerability poses a risk primarily to websites using the affected plugin for classified ads or business directories, which are often integral to local commerce and community engagement platforms. Exploitation could allow attackers with minimal privileges to execute arbitrary shortcodes, potentially leading to unauthorized data disclosure, content manipulation, or further privilege escalation within the WordPress environment. This can undermine the confidentiality and integrity of the affected websites, damage brand reputation, and disrupt business operations. Given the widespread use of WordPress in Europe, especially among SMEs and local businesses, the vulnerability could have a broad impact if exploited at scale. However, the requirement for authenticated access limits exposure to external anonymous attackers. The absence of known exploits in the wild reduces immediate risk but does not eliminate it, as attackers may develop exploits following public disclosure. Organizations in sectors relying heavily on online classified ads or business directories, such as real estate, automotive, and local services, may face higher risks.

1. Immediately restrict Subscriber-level and higher user permissions to trusted individuals only, minimizing the risk of malicious shortcode injection. 2. Monitor and audit user activities related to shortcode usage and content submission within the WordPress admin dashboard. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious shortcode patterns or unauthorized shortcode execution attempts. 4. Disable or limit the use of shortcodes for users with lower privileges if possible, through custom role capabilities or plugin configuration. 5. Regularly check for and apply updates or patches from the plugin vendor as soon as they become available. 6. Employ security plugins that can detect and prevent code injection or unauthorized shortcode execution. 7. Conduct periodic security reviews and penetration testing focusing on WordPress plugins and user privilege management. 8. Educate site administrators and content managers about the risks of shortcode misuse and enforce strict content validation policies.