CVE-2025-9874 is a high-severity vulnerability affecting the Ultimate Classified Listings WordPress plugin developed by webcodingplace. The vulnerability is classified as CWE-98, which pertains to improper control of filenames used in include or require statements, commonly known as a Remote File Inclusion (RFI) or Local File Inclusion (LFI) vulnerability. Specifically, this flaw exists in all versions up to and including 1.6 of the plugin, within the 'uclwp_dashboard' shortcode functionality. An attacker with authenticated access at the Contributor level or higher can exploit this vulnerability to include arbitrary .php files on the server. This inclusion allows the execution of any PHP code contained in those files, effectively enabling code execution on the web server. The attack vector does not require user interaction beyond authentication, but the attacker must have at least Contributor privileges, which are commonly granted to users who can upload content but not necessarily publish it. The vulnerability can be leveraged to bypass access controls, access sensitive data, or execute arbitrary code, especially if the attacker can upload malicious PHP files to the server. The CVSS 3.1 base score is 7.5, indicating a high severity, with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. This means the attack is network exploitable, requires low privileges and high attack complexity, does not require user interaction, and impacts confidentiality, integrity, and availability. No known exploits are currently reported in the wild, and no patches have been published yet. The vulnerability is significant because WordPress is widely used across many organizations, and plugins often have varying levels of security scrutiny. The ability to execute arbitrary PHP code on a server can lead to full system compromise, data theft, or service disruption.

For European organizations, this vulnerability poses a substantial risk, especially those relying on WordPress sites with the Ultimate Classified Listings plugin installed. The ability for an authenticated user with Contributor-level access to execute arbitrary code can lead to unauthorized data access, defacement, or complete server takeover. This is particularly critical for organizations handling sensitive personal data under GDPR, as a breach could lead to significant regulatory penalties and reputational damage. The attack complexity is high, requiring some privilege, but many organizations may have multiple contributors or editors with such access, increasing the attack surface. Additionally, if the attacker can upload PHP files via other plugin functionalities or misconfigurations, the risk escalates. The vulnerability could be exploited to implant backdoors, pivot within the network, or disrupt services, impacting business continuity. Given the widespread use of WordPress in Europe for both public-facing and internal applications, the potential impact spans multiple sectors including government, education, e-commerce, and media. The lack of a patch at the time of disclosure increases the urgency for mitigation.

European organizations should immediately audit their WordPress installations to identify the presence of the Ultimate Classified Listings plugin, especially versions up to 1.6. Until a patch is available, organizations should consider the following mitigations: 1) Restrict Contributor-level access strictly to trusted users and review user roles to minimize unnecessary privileges. 2) Implement Web Application Firewall (WAF) rules to detect and block suspicious include or file access patterns related to the 'uclwp_dashboard' shortcode. 3) Disable or remove the vulnerable plugin if it is not essential, or replace it with a more secure alternative. 4) Monitor file upload directories and server logs for unusual PHP file uploads or executions. 5) Harden the server by disabling PHP execution in upload directories where possible. 6) Employ intrusion detection systems to identify anomalous behavior indicative of exploitation attempts. 7) Prepare incident response plans to quickly isolate and remediate compromised systems. Organizations should also subscribe to vendor and security community updates to apply patches promptly once released.