Wordpress Privilege Escalation (CVE-2025-12882)

Overview

A critical security vulnerability has been identified in the Clasifico Listing plugin for WordPress. This flaw allows any visitor to your website to register themselves as a full administrator, granting them complete control over the affected WordPress site.

Vulnerability Details

In simple terms, the plugin contains a registration feature that is improperly secured. When a new user signs up, the plugin incorrectly allows them to specify their own user role (like “subscriber,” “editor,” or “administrator”) via a hidden form field. An attacker can exploit this by manually setting this field to “administrator” during registration. The plugin then creates the account with those elevated privileges without any validation, bypassing all normal security checks.

Impact Assessment

The impact of this vulnerability is severe. An unauthenticated attacker-anyone visiting the site-can easily create an administrator account for themselves. Once in control, they can:

• Install malicious plugins or themes.
• Deface the website.
• Steal sensitive user data.
• Inject backdoors for persistent access.
• Use the server to launch further attacks.

Given the low complexity of the attack and the fact it requires no prior access or credentials, this vulnerability is scored as a 9.8 (CRITICAL) on the CVSS scale.

Remediation and Mitigation

Immediate action is required to secure any website using this plugin.

Primary Solution: Update Immediately The most effective action is to update the Clasifico Listing plugin to the latest patched version (2.0.1 or higher). Plugin developers have released a fix that removes the ability for users to specify their role during registration.

Immediate Mitigation Steps: If an immediate update is not possible, take these steps:

1. Disable the Plugin: Temporarily deactivate the Clasifico Listing plugin via your WordPress admin dashboard or via your hosting control panel (by renaming its folder in /wp-content/plugins/).
2. Audit User Accounts: Carefully review your site’s user list (Users in WordPress admin) for any recently created, suspicious administrator accounts, especially those with unfamiliar email addresses. Remove any unauthorized administrators.
3. Monitor for Compromise: Be alert for signs of compromise, such as unfamiliar plugins, changed files, or strange website behavior.

General Best Practice: Always keep all WordPress plugins, themes, and the core installation updated to their latest versions to protect against known vulnerabilities.