{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-0763", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-01-27T21:23:47.479Z", "datePublished": "2025-09-11T07:24:50.341Z", "dateUpdated": "2026-04-08T16:43:50.751Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:43:50.751Z"}, "affected": [{"vendor": "webcodingplace", "product": "Ultimate Classified Listings", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Ultimate Classified Listings plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_custom_fields function in all versions up to, and including, 1.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change plugin custom fields."}], "title": "Ultimate Classified Listings <= 1.7 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2c368677-e436-412a-9a88-89d128d72aa0?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ultimate-classified-listings/tags/1.4/classes/class-admin-settings.php#L379"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ivan Kuzymchak"}], "timeline": [{"time": "2025-01-27T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-09-10T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-11T14:10:43.190833Z", "id": "CVE-2025-0763", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-11T14:41:25.190Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-0763", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-11T14:10:43.190833Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-11T14:10:45.435Z"}}], "cna": {"title": "Ultimate Classified Listings <= 1.6 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Ivan Kuzymchak"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "webcodingplace", "product": "Ultimate Classified Listings", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-01-27T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-09-10T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2c368677-e436-412a-9a88-89d128d72aa0?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ultimate-classified-listings/tags/1.4/classes/class-admin-settings.php#L379"}], "descriptions": [{"lang": "en", "value": "The Ultimate Classified Listings plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_custom_fields function in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change plugin custom fields."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-09-11T07:24:50.341Z"}}}, "cveMetadata": {"cveId": "CVE-2025-0763", "state": "PUBLISHED", "dateUpdated": "2025-09-11T14:41:25.190Z", "dateReserved": "2025-01-27T21:23:47.479Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-11T07:24:50.341Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Ultimate Classified Listings plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_custom_fields function in all versions up to, and including, 1.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change plugin custom fields."}], "id": "CVE-2025-0763", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-11T08:15:32.190", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ultimate-classified-listings/tags/1.4/classes/class-admin-settings.php#L379"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2c368677-e436-412a-9a88-89d128d72aa0?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T22:14:54.754350+00:00", "value": {"mitigation_remediation": ["Upgrade the Ultimate Classified Listings plugin to version 1.8 or later, where the authorization check has been restored.", "Limit the ability of Subscriber and lower roles to edit plugin settings by adjusting role capabilities or using a role editor plugin to remove settings change permissions.", "Regularly audit user roles and monitor the plugin\u2019s configuration logs for unauthorized changes to ensure early detection of any exploitation attempts."], "summary": {"action": "Apply patch", "impact": "Unauthorized modification of plugin settings"}, "threat_synthesis": {"affected_systems": "This issue affects the Ultimate Classified Listings plugin from webcodingplace, in all versions up to and including 1.7. Users running these versions on any WordPress installation are exposed.", "description_and_impact": "The vulnerability allows authenticated users with Subscriber-level access or higher to alter the custom fields of the Ultimate Classified Listings WordPress plugin. This occurs because the save_custom_fields function performs no capability check, enabling data tampering and potentially disruptive configuration changes. The weakness is a classic lack of authorization, listed as CWE-862.", "risk_and_exploitability": "The CVSS score of 4.3 reflects a moderate severity, while an EPSS score of <1% indicates a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, suggesting limited known exploitation activity. The attack vector is inferred to be through legitimate authenticated access by users with Subscriber or higher roles, as no additional conditions are described in the data."}}}}, "created": "2025-09-12T08:03:00.969915+00:00", "updated": "2026-04-22T22:15:26.359950+00:00", "vendors": ["webcodingplace", "webcodingplace$PRODUCT$ultimate_classified_listings", "wordpress", "wordpress$PRODUCT$wordpress"]}