Attack Vectors
Critical risk: CVE-2025-12882 affects the WordPress plugin Clasifico Listing (slug: clasifico-listing) in versions up to, and including, 2.0, with a CVSS score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
The primary attack path is straightforward: an unauthenticated attacker can register a new user account and supply a specific parameter during registration to gain elevated privileges. This can result in an attacker obtaining administrator-level access without needing prior credentials.
From a business perspective, this is especially concerning for organizations that allow public account registration, run multiple marketing forms and integrations, or operate sites where uptime and brand trust are critical (campaign landing pages, lead capture, ecommerce, and membership sites).
Security Weakness
Clasifico Listing is vulnerable to privilege escalation because it allows users registering new accounts to set their own role by supplying the listing_user_role parameter. In practical terms, this means the system can be tricked into granting an attacker a higher-permission role during sign-up.
This weakness bypasses the normal control that should restrict who can assign powerful roles (like administrator). Since the attack can be performed without authentication, the exposure is high for any affected site that has the plugin installed and user registration available.
Remediation note: there is no known patch available at this time. Mitigations should be chosen based on your organization’s risk tolerance, and it may be best to uninstall the affected software and find a replacement.
Technical or Business Impacts
If exploited, this issue can lead to full administrative takeover of your WordPress site, which can translate into: unauthorized content changes, malicious redirects, tampered marketing pixels/analytics, altered forms, and the insertion of malware or spam.
For executives and compliance teams, the impacts can include brand damage (customers being redirected or served malicious content), loss of campaign performance integrity (corrupted analytics and attribution), operational disruption (site defacement or downtime), and potential regulatory exposure depending on what data your site collects or processes.
Given the Critical severity and the lack of an available patch, risk reduction steps often include removing/uninstalling the affected plugin, restricting or disabling public registrations where feasible, tightening administrative access controls, and increasing monitoring for new admin accounts and unexpected configuration changes.
Similar Attacks
For reference and additional context, you can review publicly documented advisories related to this vulnerability:
CVE-2025-12882 (official CVE record)
Wordfence Advisory: Clasifico Listing <= 2.0 Unauthenticated Privilege Escalation
Recent Comments