CVE-2025-12882 Overview
The Clasifico Listing plugin for WordPress contains a critical privilege escalation vulnerability in versions up to and including 2.0. The vulnerability exists due to improper access control during user registration, allowing attackers to set arbitrary roles when creating new accounts. By manipulating the listing_user_role parameter during registration, unauthenticated attackers can gain administrative access to vulnerable WordPress installations.
Critical Impact
Unauthenticated attackers can register administrator accounts on vulnerable WordPress sites, leading to complete site compromise including data theft, malware injection, and full administrative control.
Affected Products
- Clasifico Listing plugin for WordPress versions up to and including 2.0
- WordPress sites using the Clasifico classified ads theme with the vulnerable plugin
Discovery Timeline
- 2026-02-19 - CVE CVE-2025-12882 published to NVD
- 2026-02-19 - Last updated in NVD database
Technical Details for CVE-2025-12882
Vulnerability Analysis
This vulnerability is classified as CWE-269 (Improper Privilege Management). The Clasifico Listing plugin fails to properly validate or restrict the listing_user_role parameter during the user registration process. WordPress plugins that handle user registration must carefully validate role assignments to prevent unauthorized privilege escalation.
The plugin allows users to self-assign roles during registration without performing adequate authorization checks. This design flaw enables unauthenticated attackers to bypass the intended access control mechanism and register accounts with administrator privileges. Once an attacker gains administrative access, they can perform any action available to legitimate administrators, including installing malicious plugins, modifying site content, accessing sensitive user data, and potentially compromising the underlying server.
Root Cause
The root cause is improper input validation and missing authorization checks in the plugin's registration handler. The plugin trusts user-supplied input for the listing_user_role parameter without validating whether the registering user is authorized to assign themselves elevated privileges. Proper implementation would either restrict available roles to non-administrative options or require existing administrator approval for elevated role assignments.
Attack Vector
The attack is executed remotely over the network without requiring any authentication or user interaction. An attacker crafts a registration request that includes the listing_user_role parameter set to an administrative role value. When the plugin processes this registration, it assigns the attacker-specified role to the newly created account, granting immediate administrative access.
The attack is straightforward to execute: an attacker submits a standard WordPress user registration form with the additional listing_user_role parameter included in the POST request body. The parameter can be set to administrator or the equivalent role identifier used by the plugin. Upon successful registration, the attacker can log in with full administrative privileges.
Detection Methods for CVE-2025-12882
Indicators of Compromise
- Newly created WordPress user accounts with administrator privileges created through the frontend registration process
- User registration logs showing accounts created with the listing_user_role parameter specified
- Unexpected administrator accounts that were not created through the WordPress admin panel
- Suspicious login activity from newly created administrator accounts
Detection Strategies
- Monitor WordPress user creation events for accounts assigned administrator or elevated roles
- Implement web application firewall rules to detect and block requests containing the listing_user_role parameter with privileged role values
- Review access logs for POST requests to registration endpoints containing suspicious role parameters
- Audit WordPress user database for recently created accounts with administrative capabilities
Monitoring Recommendations
- Enable comprehensive WordPress activity logging including user registration events
- Configure alerting for any new administrator account creation
- Regularly audit WordPress user roles to identify unauthorized privilege assignments
- Monitor for unusual administrative actions following new account registrations
How to Mitigate CVE-2025-12882
Immediate Actions Required
- Update the Clasifico Listing plugin to a patched version if available
- Disable user registration on vulnerable WordPress installations until a patch is applied
- Audit existing WordPress user accounts for unauthorized administrator access
- Deactivate the Clasifico Listing plugin if updates are not available and registration functionality is not critical
Patch Information
Check the ThemeForest product page for updated plugin versions. The Wordfence vulnerability report provides additional details and may include patch status information. Site administrators should update to a version that properly validates role assignments during registration.
Workarounds
- Disable public user registration in WordPress Settings > General by unchecking "Anyone can register"
- Use a web application firewall to block POST requests containing the listing_user_role parameter
- Implement server-side filtering to strip the listing_user_role parameter from registration requests
- Consider using an alternative classified ads plugin that does not exhibit this vulnerability
# Disable user registration via wp-config.php as a temporary measure
# Add the following line to prevent frontend registrations
define('DISALLOW_FILE_MODS', true);
# Additionally, verify registration is disabled in WordPress
# Navigate to Settings > General and ensure "Anyone can register" is unchecked
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
