{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12574", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-31T21:03:13.438Z", "datePublished": "2025-12-06T05:49:24.676Z", "dateUpdated": "2026-04-08T16:45:32.589Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:45:32.589Z"}, "affected": [{"vendor": "passionui", "product": "Listar \u2013 Directory Listing & Classifieds WordPress Plugin", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Listar \u2013 Directory Listing & Classifieds WordPress Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the '/wp-json/listar/v1/place/delete' REST API endpoint in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts."}], "title": "Listar \u2013 Directory Listing & Classifieds WordPress Plugin <= 3.0.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/33b98bee-7f33-4d49-96e1-9a1eafc92bb3?source=cve"}, {"url": "https://wordpress.org/plugins/listar-directory-listing/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "timeline": [{"time": "2025-12-05T17:35:50.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-08T21:02:11.176910Z", "id": "CVE-2025-12574", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-08T21:02:23.724Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12574", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-08T21:02:11.176910Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-08T21:02:18.707Z"}}], "cna": {"title": "Listar \u2013 Directory Listing & Classifieds WordPress Plugin <= 3.0.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "passionui", "product": "Listar \u2013 Directory Listing & Classifieds WordPress Plugin", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.0.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-05T17:35:50.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/33b98bee-7f33-4d49-96e1-9a1eafc92bb3?source=cve"}, {"url": "https://wordpress.org/plugins/listar-directory-listing/"}], "descriptions": [{"lang": "en", "value": "The Listar \u2013 Directory Listing & Classifieds WordPress Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the '/wp-json/listar/v1/place/delete' REST API endpoint in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:45:32.589Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12574", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:45:32.589Z", "dateReserved": "2025-10-31T21:03:13.438Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-06T05:49:24.676Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Listar \u2013 Directory Listing & Classifieds WordPress Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the '/wp-json/listar/v1/place/delete' REST API endpoint in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts."}], "id": "CVE-2025-12574", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-06T06:15:49.903", "references": [{"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/listar-directory-listing/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/33b98bee-7f33-4d49-96e1-9a1eafc92bb3?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T03:52:57.545479+00:00", "value": {"mitigation_remediation": ["Upgrade the Listar plugin to the latest available version (any release newer than 3.0.0) which likely contains the missing capability check; this addresses the CWE-862 flaw.", "If an upgrade is not immediately possible, restrict access to the /wp-json/listar/v1/place/delete REST endpoint by applying firewall or security plugin rules, or disable the endpoint entirely.", "Review and tighten user role assignments in WordPress, ensuring that only trusted users hold Subscriber or higher privileges; consider revoking Subscriber roles from users no longer required."], "summary": {"action": "Upgrade", "impact": "Arbitrary Post Deletion by Authenticated User"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Listar plugin, made by passionui, in all releases up to and including version 3.0.0. The plugin is commonly integrated into WordPress sites that rely on it for directory listing and classifieds functionality.", "description_and_impact": "The Listar \u2013 Directory Listing & Classifieds WordPress Plugin suffers from a missing capability check on the \"/wp-json/listar/v1/place/delete\" REST API endpoint. An authenticated user with a Subscriber role or higher can invoke this endpoint to delete any post. This vulnerability represents a CWE-862: Missing Authorization. Consequently, data loss and site content tampering may occur, affecting the integrity and availability of user\u2011generated listings.", "risk_and_exploitability": "The CVSS base score of 4.3 classifies the threat as low severity, reflecting that an attacker must first gain authenticated access with at least Subscriber privileges. The EPSS score being less than 1% indicates that discovery of exploit code in the wild is unlikely. The vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation currently. Exploitation requires sending an authenticated request to the public REST endpoint; the attacker needs no special network position but must be able to authenticate. No elevated privileges beyond Subscriber are required, so the impact remains constrained to data deletion rather than broader system compromise."}}}}, "created": "2025-12-08T09:39:36.235543+00:00", "updated": "2026-04-22T04:00:07.994125+00:00", "vendors": ["passionui", "passionui$PRODUCT$listar", "wordpress", "wordpress$PRODUCT$wordpress"]}