CVE-2025-9874 is a Local File Inclusion vulnerability classified under CWE-98, found in the Ultimate Classified Listings plugin for WordPress, affecting all versions up to and including 1.6. The vulnerability exists in the handling of the 'uclwp_dashboard' shortcode, which improperly controls the filename used in PHP include or require statements. Authenticated attackers with Contributor-level privileges or higher can exploit this flaw to include arbitrary PHP files stored on the server. This capability enables execution of arbitrary PHP code, which can lead to full remote code execution, bypassing of access controls, and unauthorized access to sensitive data. The vulnerability requires authentication but no user interaction beyond that, and the attack vector is network-based. The CVSS v3.1 base score is 7.5, indicating high severity, with attack vector network (AV:N), attack complexity high (AC:H), privileges required low (PR:L), no user interaction (UI:N), and impacts on confidentiality, integrity, and availability all rated high (C:H/I:H/A:H). No patches or official fixes are currently available, and no known exploits have been observed in the wild. The vulnerability's root cause is improper validation and sanitization of the input controlling the filename in include/require statements, allowing attackers to specify arbitrary files for inclusion.

The impact of CVE-2025-9874 is significant for organizations using the Ultimate Classified Listings plugin on WordPress sites. Successful exploitation can lead to remote code execution, enabling attackers to execute arbitrary PHP code on the web server. This can result in full system compromise, including the ability to modify or delete data, escalate privileges, bypass authentication controls, and potentially pivot to other internal systems. Confidential information stored on the server or accessible through the compromised application can be exposed or stolen. The availability of the affected web service can also be disrupted through malicious code execution. Since the vulnerability requires only Contributor-level access, which is a relatively low privilege level, attackers can exploit compromised or weak user accounts to gain a foothold. This threat is particularly critical for organizations relying on this plugin for classified listings or similar services, as it undermines the security of their web infrastructure and user data.

To mitigate CVE-2025-9874, organizations should immediately restrict Contributor-level user capabilities to prevent unauthorized file uploads or code execution. Implement strict input validation and sanitization on all parameters controlling file inclusion, especially those used in include/require statements. Disable or remove the 'uclwp_dashboard' shortcode if it is not essential to reduce the attack surface. Monitor web server logs and WordPress activity logs for suspicious file inclusion attempts or unusual PHP file executions. Employ web application firewalls (WAFs) with custom rules to detect and block attempts to exploit file inclusion vulnerabilities. Until an official patch is released, consider isolating the affected plugin in a sandboxed environment or replacing it with alternative plugins that do not have this vulnerability. Regularly audit user accounts and permissions to ensure that only trusted users have Contributor-level or higher access. Finally, maintain up-to-date backups and have an incident response plan ready in case of compromise.