CVE-2025-12577 - Vulnerability Details

- Listar – Directory Listing & Classifieds WordPress Plugin <= 3.0.0 - Missing Authorization to Authenticated (Subscriber+) Listing Update

Description

The Listar – Directory Listing & Classifieds WordPress Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/listar/v1/place/save' REST API endpoint in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update listing details.

Published: 2025-12-06

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises from a missing capability check on the /wp-json/listar/v1/place/save REST API endpoint in the Listar – Directory Listing & Classifieds WordPress Plugin. This flaw allows an authenticated user with Subscriber-level access or higher to modify listing details, compromising data integrity. The issue is a classic missing authorization weakness (CWE-862).

Affected Systems

WordPress sites that use the Listar – Directory Listing & Classifieds WordPress Plugin (vendor passionui) and run any version up to and including 3.0.0 are impacted. No information is available regarding the status of newer releases.

Risk and Exploitability

Any authenticated user can exploit the endpoint to alter listings, as the missing capability check removes required authorization. Based on the description, the likely attack vector is internal, requiring the attacker to have a valid authenticated session. The CVSS score of 4.3 indicates moderate severity, and the EPSS score of less than 1% signals a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog, suggesting no known active exploitation, but authorized users could still use the endpoint to persist unauthorized changes without additional privileges.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

passionui

Listar – Directory Listing & Classifieds WordPress Plugin

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.0.0

No data.

Vendor	Product	Confidence	Versions
Passionui	Listar	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Listar plugin release that includes the missing capability check, if available; if no patch exists, defer the update until a corrected version is released.
Restrict the ability of Subscriber and equivalent roles to edit listings by modifying WordPress role capabilities until a patched plugin is deployed.
Enable logging of listing updates and review audit logs regularly to detect unauthorized modifications early.

Generated by OpenCVE AI on April 22, 2026 at 00:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00048.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://wordpress.org/plugins/listar-directory-listing/
https://www.wordfence.com/threat-intel/vulnerabilities/id/a063fab3-6d52-4f2a-b51f-b76fa2d4711c?source=cve

History

Tue, 09 Dec 2025 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Passionui Passionui listar Wordpress Wordpress wordpress
Vendors & Products		Passionui Passionui listar Wordpress Wordpress wordpress

Mon, 08 Dec 2025 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sat, 06 Dec 2025 06:00:00 +0000

Type	Values Removed	Values Added
Description		The Listar – Directory Listing & Classifieds WordPress Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/listar/v1/place/save' REST API endpoint in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update listing details.
Title		Listar – Directory Listing & Classifieds WordPress Plugin <= 3.0.0 - Missing Authorization to Authenticated (Subscriber+) Listing Update
Weaknesses		CWE-862
References		https://wordpress.org/plugins/listar-directory-listing/ https://www.wordfence.com/threat-intel/vulnerabilities/id/a063fab3-6d52-4f2a-b51f-b76fa2d4711c?source=cve
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Passionui Listar

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-12-06T05:49:31.045Z

Updated: 2026-04-08T17:12:12.328Z

Reserved: 2025-10-31T21:05:04.248Z

Link: CVE-2025-12577

Vulnrichment

Updated: 2025-12-08T21:32:41.607Z

NVD

Status : Deferred

Published: 2025-12-06T06:15:50.070

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12577

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T00:30:04Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object