Platform
wordpress
Component
clasifico-listing
Fixed in
2.1
CVE-2025-12882 represents a critical privilege escalation vulnerability affecting the Clasifico Listing plugin for WordPress. This flaw allows unauthenticated attackers to elevate their privileges to administrator level by exploiting a parameter during account registration. The vulnerability impacts versions 1.0.0 through 2.0, and a fix is available in version 2.1.
The impact of this vulnerability is severe. An attacker successfully exploiting CVE-2025-12882 gains complete control over the affected WordPress site. This includes the ability to modify content, install malicious plugins, create new user accounts with elevated privileges, and potentially access sensitive data stored within the WordPress database. The attacker could deface the website, steal user credentials, or use the compromised site as a launchpad for further attacks against other systems on the network. This vulnerability shares similarities with other privilege escalation flaws where user registration parameters are not properly validated, potentially leading to widespread compromise.
CVE-2025-12882 was published on 2026-02-19. Severity is currently assessed as CRITICAL (CVSS 9.8). Public proof-of-concept (POC) code is likely to emerge given the ease of exploitation. The vulnerability is not currently listed on KEV or EPSS, but the high CVSS score indicates a medium to high probability of exploitation. Monitor security advisories from WordPress and Clasifico for further updates and potential active exploitation campaigns.
Exploit Status
EPSS
0.10% (28% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-12882 is to immediately upgrade the Clasifico Listing plugin to version 2.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by restricting user role assignment during registration. This could involve modifying the plugin's code (if possible) or using a WordPress plugin that enforces stricter user role controls. Monitor WordPress logs for suspicious account creation attempts, particularly those involving administrator role assignments. After upgrading, verify the fix by attempting to register a new account and confirming that the 'listinguserrole' parameter is properly validated and does not allow setting the role to 'administrator'.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-12882 is a critical vulnerability in the Clasifico Listing WordPress plugin allowing unauthenticated attackers to gain administrator privileges during user registration by manipulating the 'listinguserrole' parameter. This grants them full control of the website.
You are affected if your WordPress site uses the Clasifico Listing plugin in versions 1.0.0 through 2.0. Check your plugin versions immediately and upgrade if necessary.
Upgrade the Clasifico Listing plugin to version 2.1 or later. If immediate upgrade is not possible, implement temporary workarounds like restricting user role assignment during registration.
While there are no confirmed reports of active exploitation at this time, the high CVSS score and ease of exploitation suggest a medium to high probability of exploitation in the near future.
Refer to the Clasifico Listing plugin's official website or WordPress plugin repository for the latest security advisory and update information related to CVE-2025-12882.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.