CVE-2025-9874 Overview
CVE-2025-9874 is a Local File Inclusion (LFI) vulnerability in the Ultimate Classified Listings plugin for WordPress. The flaw affects all versions up to and including 1.6 and resides in the uclwp_dashboard shortcode handler. Authenticated attackers with Contributor-level access or higher can include and execute arbitrary .php files on the underlying server. Successful exploitation enables access control bypass, sensitive data disclosure, and potential code execution when attackers can upload .php files through other vectors. The vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program).
Critical Impact
Authenticated Contributor-level users can execute arbitrary PHP code on the server, leading to full WordPress site compromise when combined with a file upload primitive.
Affected Products
- Ultimate Classified Listings plugin for WordPress — versions ≤ 1.6
- WordPress sites permitting Contributor-level or higher registrations
- WordPress installations where additional plugins permit .php file uploads
Discovery Timeline
- 2025-09-11 - CVE-2025-9874 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-9874
Vulnerability Analysis
The vulnerability resides in the class-shortcodes.php file at line 49 of the Ultimate Classified Listings plugin. The uclwp_dashboard shortcode processes a user-controlled parameter and passes it to a PHP include or require statement without proper validation or sanitization. WordPress shortcodes execute in the context of post content, meaning any user role permitted to publish or preview posts containing shortcodes can trigger the include. The plugin does not restrict the parameter to a fixed allowlist of expected dashboard view files, nor does it normalize path traversal sequences. As a result, attackers can manipulate the parameter to point at arbitrary .php files on the local filesystem. The CWE-98 classification reflects the direct flow from request input into a file inclusion sink.
Root Cause
The root cause is improper validation of a shortcode attribute used to construct a file path for PHP inclusion. The plugin trusts attacker-controlled input when selecting which template or dashboard partial to load. No allowlist comparison, basename enforcement, or directory restriction is applied before the include statement executes.
Attack Vector
An authenticated user with Contributor privileges or higher embeds the uclwp_dashboard shortcode in a post or page with a crafted attribute referencing a target .php file. When the shortcode renders, the plugin includes the referenced file and PHP executes its contents within the WordPress process. Attackers commonly chain this with image upload features that accept disguised PHP payloads, or target log files and session files containing attacker-controlled strings to achieve remote code execution. Refer to the Wordfence Vulnerability Report and the plugin source at line 49 for the vulnerable code path.
Detection Methods for CVE-2025-9874
Indicators of Compromise
- Unexpected POST or GET requests to URLs containing the uclwp_dashboard shortcode parameter with path traversal sequences such as ../ or absolute filesystem paths.
- New or modified PHP files in wp-content/uploads/ directories, especially files with double extensions like image.jpg.php.
- Post or page revisions authored by Contributor-level accounts that contain the uclwp_dashboard shortcode with unusual attributes.
- Web server access logs showing inclusion attempts targeting wp-config.php or other sensitive configuration files.
Detection Strategies
- Audit WordPress posts and revisions for the string uclwp_dashboard and inspect attached attributes for path manipulation.
- Enable PHP open_basedir restrictions and monitor PHP error logs for failed include attempts indicating exploitation probes.
- Deploy file integrity monitoring on the wp-content/plugins/ultimate-classified-listings/ directory and wp-content/uploads/.
- Correlate Contributor-level user account creation with subsequent shortcode usage on a short timeline.
Monitoring Recommendations
- Forward WordPress audit logs and web server access logs to a centralized SIEM and alert on shortcode parameters containing .., null bytes, or .php references.
- Track plugin version inventory across all WordPress hosts and flag any instance still running version 1.6 or earlier.
- Monitor for new administrator accounts or privilege escalation events following Contributor activity.
How to Mitigate CVE-2025-9874
Immediate Actions Required
- Update the Ultimate Classified Listings plugin to version 1.7 or later, which contains the fix for the vulnerable shortcode handler.
- Audit existing posts, pages, and post revisions for the uclwp_dashboard shortcode and remove any unauthorized usage.
- Review Contributor and higher-privileged accounts for legitimacy and disable any unrecognized accounts.
- Scan wp-content/uploads/ and plugin directories for unauthorized PHP files and shell artifacts.
Patch Information
The vendor fix is available in version 1.7 of the Ultimate Classified Listings plugin. The patched code is published in the WordPress plugin repository at tag 1.7. Administrators should apply the update through the WordPress admin dashboard or via WP-CLI.
Workarounds
- Restrict Contributor and Author role assignments until the plugin is updated and remove the role from accounts that do not require it.
- Deactivate the Ultimate Classified Listings plugin until version 1.7 can be deployed in environments where immediate patching is not feasible.
- Configure a Web Application Firewall rule to block requests containing the uclwp_dashboard shortcode with path traversal characters.
- Apply PHP open_basedir and disable_functions hardening to limit the impact of arbitrary file inclusion.
# Update the plugin via WP-CLI
wp plugin update ultimate-classified-listings --version=1.7
# Verify installed version
wp plugin get ultimate-classified-listings --field=version
# Temporary deactivation if patching is delayed
wp plugin deactivate ultimate-classified-listings
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

