WordPress Plugin Vulnerabilities

Classified Listing – AI-Powered Classified ads & Business Directory Plugin < 5.2.1 - Missing Authorization to Authenticated (Subscriber+) Listing Types Tampering

Description

The Classified Listing – AI-Powered Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the "rtcl_ajax_add_listing_type", "rtcl_ajax_update_listing_type", and "rtcl_ajax_delete_listing_type" function in all versions up to, and including, 5.2.0. This makes it possible for authenticated attackers, with subscriber level access and above, to add, update, or delete listing types.

Affects Plugins

Plugin icon
classified-listing
Fixed in 5.2.1

References

CVE
CVE-2025-12953
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/811f147e-5829-4f7e-91d8-9dba780950d5

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Rafshanzani Suhada
Verified
No
WPVDB ID
00dcfe5f-623a-4a12-93c2-8ec597ef179b

Timeline

Publicly Published
2025-11-10 (about 6 months ago)
Added
2025-11-10 (about 6 months ago)
Last Updated
2025-11-11 (about 6 months ago)

Other

Published
Title
Published
2026-02-27
Title
AI Workflow Automation <= 1.4.2 - Missing Authorization
Published
2024-06-21
Title
Hercules Core < 6.7 - Missing Authorization to Settings Update
Published
2024-04-05
Title
Responsive Lightbox < 2.4.7 - Information Disclosure
Published
2025-01-24
Title
VForm < 3.0.7 - Missing Authorization
Published
2025-04-01
Title
WP Clone any post type <= 3.6 - Missing Authorization