CVE-2025-1063 - Vulnerability Details

- Classified Listing – Classified ads & Business Directory Plugin <= 4.0.4 - Unauthenticated Settings Exposure

Description

The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.4 via the rtcl_taxonomy_settings_export function. This makes it possible for unauthenticated attackers to extract sensitive data including API keys and tokens.

Published: 2025-02-25

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Classified Listing plugin for WordPress is vulnerable to Sensitive Information Exposure through the rtcl_taxonomy_settings_export function. Unauthenticated users can trigger this function and obtain sensitive data such as API keys and tokens, compromising the confidentiality of the site’s integrations.

Affected Systems

All installations of the Classified Listing – AI‑Powered Classified ads & Business Directory Plugin from vendor techlabpro1, running any version up to and including 4.0.4, are affected. Any website that has not applied the latest update beyond 4.0.4 remains susceptible.

Risk and Exploitability

With a CVSS score of 5.3 and an EPSS score below 1 %, the vulnerability is considered moderate but still exploitable. It is not listed in CISA’s KEV catalog, indicating no widely known public exploits at this time. The likely attack vector is an unauthenticated HTTP request to the exposed export endpoint; an attacker need only identify the plugin’s URL pattern and invoke the function to retrieve the data. The consequences include loss of confidential integration keys, which could allow further compromise of connected services.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

techlabpro1

Classified Listing – AI-Powered Classified ads & Business Directory Plugin

unaffected

Version	Status	Constraints
`0`	affected	≤ 4.0.4

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Classified Listing plugin to version 4.0.5 or later to remove the vulnerable export function.
Revoke and regenerate any API keys or tokens that may have been exposed and update them in the WordPress configuration.
Remove or restrict the rtcl_taxonomy_settings_export capability from user roles that do not require it, ensuring that only trusted administrators can invoke the function.
Implement WAF or network level rules to block unauthenticated requests targeting the export endpoint and monitor logs for any such activity.

Generated by OpenCVE AI on April 20, 2026 at 23:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-5071	The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.4 via the rtcl_taxonomy_settings_export function. This makes it possible for unauthenticated attackers to extract sensitive data including API keys and tokens.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00169.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/changeset/3241883/classified-listing
https://www.wordfence.com/threat-intel/vulnerabilities/id/e701b771-59f2-4783-b0a1-bea4d6c3d245?source=cve

History

Tue, 25 Feb 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 25 Feb 2025 07:15:00 +0000

Type	Values Removed	Values Added
Description		The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.4 via the rtcl_taxonomy_settings_export function. This makes it possible for unauthenticated attackers to extract sensitive data including API keys and tokens.
Title		Classified Listing – Classified ads & Business Directory Plugin <= 4.0.4 - Unauthenticated Settings Exposure
Weaknesses		CWE-200
References		https://plugins.trac.wordpress.org/changeset/3241883/classified-listing https://www.wordfence.com/threat-intel/vulnerabilities/id/e701b771-59f2-4783-b0a1-bea4d6c3d245?source=cve
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-02-25T06:58:31.877Z

Updated: 2026-04-08T17:30:16.994Z

Reserved: 2025-02-05T17:42:57.217Z

Link: CVE-2025-1063

Vulnrichment

Updated: 2025-02-25T14:32:34.032Z

NVD

Status : Received

Published: 2025-02-25T07:15:17.127

Modified: 2025-02-25T07:15:17.127

Link: CVE-2025-1063

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T00:00:13Z

Weaknesses

CWE-200

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object