Unauthorized Data Modification in Classified Listing Plugin for WordPress
CVE-2025-12953

4.3MEDIUM

Key Information:

Vendor

WordPress
Status
Classified Listing – Ai-powered Classified Ads & Business Directory Plugin
Vendor
CVE Published:
11 November 2025

What is CVE-2025-12953?

The Classified Listing – AI-Powered Classified ads & Business Directory Plugin for WordPress contains a vulnerability that permits authenticated attackers, with a subscriber role or higher, to make unauthorized changes to listing types. The flaw arises from a lack of capability checks in critical AJAX functions, specifically 'rtcl_ajax_add_listing_type', 'rtcl_ajax_update_listing_type', and 'rtcl_ajax_delete_listing_type'. This oversight allows these attackers to add, update, or delete listing types, potentially leading to significant data integrity issues on affected websites.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Classified Listing – AI-Powered Classified ads & Business Directory Plugin * <= 5.2.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/changeset/3389342/clas...

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Rafshanzani Suhada
JSON
.