Description
The Ultimate Classified Listings plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6 via the 'uclwp_dashboard' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Published: 2025-09-11
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Local code execution
Action: Patch immediately
AI Analysis

Impact

The Ultimate Classified Listings plugin is vulnerable to local file inclusion through the uclwp_dashboard shortcode. This vulnerability is a CWE-98 Local File Inclusion flaw. An attacker who has authenticated Contributor-level or higher access can specify any file path that points to a PHP file on the server and have that file included and executed. Because the included code runs with the permissions of the WordPress process, the attacker can bypass existing access controls, read sensitive files, and execute arbitrary PHP, effectively giving code‑execution capabilities on the host.

Affected Systems

All installations of Ultimate Classified Listings for WordPress with versions up to and including 1.6 are impacted. The plugin is distributed by WebCodingPlace and can be found on the WordPress plugin repository. No other versions are listed as affected, but any environment running these vulnerable versions will be susceptible.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.5, indicating high severity, but the EPSS score is below 1 %, suggesting a low but non‑zero likelihood of exploitation at the time of this analysis. It is not listed in the CISA KEV catalog. Exploitation requires an authenticated user with Contributor privileges and the ability to insert the malicious shortcode or modify an existing one. Once the attacker provides a file path that points to a PHP file on the server, the code inside that file is executed in the context of the WordPress site, allowing the attacker full access to the underlying file system as the web‑server user.

Generated by OpenCVE AI on April 21, 2026 at 19:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ultimate Classified Listings to version 1.7 or later, which removes the vulnerable shortcode handling.
  • If an upgrade is not immediately possible, deny Contributor and higher roles the ability to create or edit shortcodes, or temporarily disable the uclwp_dashboard shortcode by removing it from the plugin file.
  • Apply a web‑application firewall rule to reject requests that attempt to load local files via the uclwp_dashboard shortcode, such as blocking paths that contain '..' or other directory traversal characters.
  • Ensure the WordPress upload directories and PHP files are protected by proper file permissions and that PHP execution is disabled in non‑document‑root folders where file inclusion could be abused.

Generated by OpenCVE AI on April 21, 2026 at 19:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27655 The Ultimate Classified Listings plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6 via the 'uclwp_dashboard' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Fri, 12 Sep 2025 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Webcodingplace
Webcodingplace ultimate Classified Listings
Wordpress
Wordpress wordpress
Vendors & Products Webcodingplace
Webcodingplace ultimate Classified Listings
Wordpress
Wordpress wordpress

Thu, 11 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 11 Sep 2025 07:30:00 +0000

Type Values Removed Values Added
Description The Ultimate Classified Listings plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6 via the 'uclwp_dashboard' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Title Ultimate Classified Listings <= 1.6 - Authenticated (Contributor+) Local File Inclusion
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Webcodingplace Ultimate Classified Listings
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:02:48.590Z

Reserved: 2025-09-02T21:17:47.445Z

Link: CVE-2025-9874

cve-icon Vulnrichment

Updated: 2025-09-11T14:02:38.967Z

cve-icon NVD

Status : Deferred

Published: 2025-09-11T08:15:39.863

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9874

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T19:15:26Z

Weaknesses