{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12577", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-31T21:05:04.248Z", "datePublished": "2025-12-06T05:49:31.045Z", "dateUpdated": "2026-04-08T17:12:12.328Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:12:12.328Z"}, "affected": [{"vendor": "passionui", "product": "Listar \u2013 Directory Listing & Classifieds WordPress Plugin", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Listar \u2013 Directory Listing & Classifieds WordPress Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/listar/v1/place/save' REST API endpoint in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update listing details."}], "title": "Listar \u2013 Directory Listing & Classifieds WordPress Plugin <= 3.0.0 - Missing Authorization to Authenticated (Subscriber+) Listing Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a063fab3-6d52-4f2a-b51f-b76fa2d4711c?source=cve"}, {"url": "https://wordpress.org/plugins/listar-directory-listing/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "timeline": [{"time": "2025-12-05T17:36:30.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-08T21:32:32.516966Z", "id": "CVE-2025-12577", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-08T21:32:45.900Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12577", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-08T21:32:32.516966Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-08T21:32:41.607Z"}}], "cna": {"title": "Listar \u2013 Directory Listing & Classifieds WordPress Plugin <= 3.0.0 - Missing Authorization to Authenticated (Subscriber+) Listing Update", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "passionui", "product": "Listar \u2013 Directory Listing & Classifieds WordPress Plugin", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.0.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-05T17:36:30.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a063fab3-6d52-4f2a-b51f-b76fa2d4711c?source=cve"}, {"url": "https://wordpress.org/plugins/listar-directory-listing/"}], "descriptions": [{"lang": "en", "value": "The Listar \u2013 Directory Listing & Classifieds WordPress Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/listar/v1/place/save' REST API endpoint in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update listing details."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:12:12.328Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12577", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:12:12.328Z", "dateReserved": "2025-10-31T21:05:04.248Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-06T05:49:31.045Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Listar \u2013 Directory Listing & Classifieds WordPress Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/listar/v1/place/save' REST API endpoint in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update listing details."}], "id": "CVE-2025-12577", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-06T06:15:50.070", "references": [{"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/listar-directory-listing/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a063fab3-6d52-4f2a-b51f-b76fa2d4711c?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T00:18:43.864233+00:00", "value": {"mitigation_remediation": ["Apply the latest Listar plugin release that includes the missing capability check, if available; if no patch exists, defer the update until a corrected version is released.", "Restrict the ability of Subscriber and equivalent roles to edit listings by modifying WordPress role capabilities until a patched plugin is deployed.", "Enable logging of listing updates and review audit logs regularly to detect unauthorized modifications early."], "summary": {"action": "Patch when available", "impact": "Unauthorized modification of listings by authenticated users"}, "threat_synthesis": {"affected_systems": "WordPress sites that use the Listar \u2013 Directory Listing & Classifieds WordPress Plugin (vendor passionui) and run any version up to and including 3.0.0 are impacted. No information is available regarding the status of newer releases.", "description_and_impact": "The vulnerability arises from a missing capability check on the /wp-json/listar/v1/place/save REST API endpoint in the Listar \u2013 Directory Listing & Classifieds WordPress Plugin. This flaw allows an authenticated user with Subscriber-level access or higher to modify listing details, compromising data integrity. The issue is a classic missing authorization weakness (CWE-862).", "risk_and_exploitability": "Any authenticated user can exploit the endpoint to alter listings, as the missing capability check removes required authorization. Based on the description, the likely attack vector is internal, requiring the attacker to have a valid authenticated session. The CVSS score of 4.3 indicates moderate severity, and the EPSS score of less than 1% signals a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog, suggesting no known active exploitation, but authorized users could still use the endpoint to persist unauthorized changes without additional privileges."}}}}, "created": "2025-12-08T09:39:40.152469+00:00", "updated": "2026-04-22T00:30:04.041651+00:00", "vendors": ["passionui", "passionui$PRODUCT$listar", "wordpress", "wordpress$PRODUCT$wordpress"]}