Description
The Listar – Directory Listing & Classifieds WordPress Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the '/wp-json/listar/v1/place/delete' REST API endpoint in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts.
Published: 2025-12-06
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Post Deletion by Authenticated User
Action: Upgrade
AI Analysis

Impact

The Listar – Directory Listing & Classifieds WordPress Plugin suffers from a missing capability check on the "/wp-json/listar/v1/place/delete" REST API endpoint. An authenticated user with a Subscriber role or higher can invoke this endpoint to delete any post. This vulnerability represents a CWE-862: Missing Authorization. Consequently, data loss and site content tampering may occur, affecting the integrity and availability of user‑generated listings.

Affected Systems

The vulnerability affects the Listar plugin, made by passionui, in all releases up to and including version 3.0.0. The plugin is commonly integrated into WordPress sites that rely on it for directory listing and classifieds functionality.

Risk and Exploitability

The CVSS base score of 4.3 classifies the threat as low severity, reflecting that an attacker must first gain authenticated access with at least Subscriber privileges. The EPSS score being less than 1% indicates that discovery of exploit code in the wild is unlikely. The vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation currently. Exploitation requires sending an authenticated request to the public REST endpoint; the attacker needs no special network position but must be able to authenticate. No elevated privileges beyond Subscriber are required, so the impact remains constrained to data deletion rather than broader system compromise.

Generated by OpenCVE AI on April 22, 2026 at 03:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Listar plugin to the latest available version (any release newer than 3.0.0) which likely contains the missing capability check; this addresses the CWE-862 flaw.
  • If an upgrade is not immediately possible, restrict access to the /wp-json/listar/v1/place/delete REST endpoint by applying firewall or security plugin rules, or disable the endpoint entirely.
  • Review and tighten user role assignments in WordPress, ensuring that only trusted users hold Subscriber or higher privileges; consider revoking Subscriber roles from users no longer required.

Generated by OpenCVE AI on April 22, 2026 at 03:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Dec 2025 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Passionui
Passionui listar
Wordpress
Wordpress wordpress
Vendors & Products Passionui
Passionui listar
Wordpress
Wordpress wordpress

Mon, 08 Dec 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 06 Dec 2025 06:00:00 +0000

Type Values Removed Values Added
Description The Listar – Directory Listing & Classifieds WordPress Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the '/wp-json/listar/v1/place/delete' REST API endpoint in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts.
Title Listar – Directory Listing & Classifieds WordPress Plugin <= 3.0.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Passionui Listar
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:45:32.589Z

Reserved: 2025-10-31T21:03:13.438Z

Link: CVE-2025-12574

cve-icon Vulnrichment

Updated: 2025-12-08T21:02:18.707Z

cve-icon NVD

Status : Deferred

Published: 2025-12-06T06:15:49.903

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12574

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T04:00:07Z

Weaknesses