Description
The Listly: Listicles For WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the Init() function in all versions up to, and including, 2.7. This makes it possible for unauthenticated attackers to delete arbitrary transient values on the WordPress site.
Published: 2025-07-18
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized deletion of arbitrary transient data
Action: Patch
AI Analysis

Impact

The Listly: Listicles For WordPress plugin contains a missing capability check in its Init() function, allowing an unauthenticated user to execute code that deletes arbitrary transient values stored in the WordPress database. This missing authorization flaw (CWE-862) means any visitor could cause loss of cached or configuration data, potentially disrupting site functionality or user experience.

Affected Systems

This issue affects the Listly plugin developed by milanmk, specifically all releases up to and including version 2.7. WordPress site owners running these plugin versions are vulnerable until they upgrade past 2.7.

Risk and Exploitability

The CVSS score of 5.3 classifies the vulnerability as moderate, and the EPSS score of less than 1% indicates a very low probability of active exploitation at present. The vulnerability is not listed in the CISA KEV catalog, suggesting limited exploitation prevalence. Based on the description, it is inferred that an attacker can trigger the deletion through an unauthenticated HTTP request to the plugin's Init() endpoint, allowing a remote attacker to act from anywhere an exposed WordPress instance is reachable.

Generated by OpenCVE AI on April 20, 2026 at 22:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Listly plugin to the latest version, which restricts the Init() function to users with appropriate capabilities.
  • If upgrading is not immediately possible, deactivate or uninstall the Listly plugin to remove the vulnerable code from your site.
  • After patching or deactivation, backup your database and verify that transient values function correctly.

Generated by OpenCVE AI on April 20, 2026 at 22:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21845 The Listly: Listicles For WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the Init() function in all versions up to, and including, 2.7. This makes it possible for unauthenticated attackers to delete arbitrary transient values on the WordPress site.
History

Fri, 18 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 18 Jul 2025 05:30:00 +0000

Type Values Removed Values Added
Description The Listly: Listicles For WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the Init() function in all versions up to, and including, 2.7. This makes it possible for unauthenticated attackers to delete arbitrary transient values on the WordPress site.
Title Listly: Listicles For WordPress <= 2.7 - Unauthenticated Arbitrary Transient Deletion
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:31:46.702Z

Reserved: 2025-06-06T15:53:26.174Z

Link: CVE-2025-5811

cve-icon Vulnrichment

Updated: 2025-07-18T14:00:27.244Z

cve-icon NVD

Status : Deferred

Published: 2025-07-18T06:15:26.523

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-5811

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T22:15:06Z

Weaknesses