2.1
CVE-2025-12882 represents a critical privilege escalation vulnerability affecting the Clasifico Listing plugin for WordPress. This flaw allows unauthenticated attackers to elevate their privileges to administrator level by exploiting a parameter during account registration. The vulnerability impacts versions 1.0.0 through 2.0, and a fix is available in version 2.1.
The impact of this vulnerability is severe. An attacker successfully exploiting CVE-2025-12882 gains complete control over the affected WordPress site. This includes the ability to modify content, install malicious plugins, create new user accounts with elevated privileges, and potentially access sensitive data stored within the WordPress database. The attacker could deface the website, steal user credentials, or use the compromised site as a launchpad for further attacks against other systems on the network. This vulnerability shares similarities with other privilege escalation flaws where user registration parameters are not properly validated, potentially leading to widespread compromise.
CVE-2025-12882 was published on 2026-02-19. Severity is currently assessed as CRITICAL (CVSS 9.8). Public proof-of-concept (POC) code is likely to emerge given the ease of exploitation. The vulnerability is not currently listed on KEV or EPSS, but the high CVSS score indicates a medium to high probability of exploitation. Monitor security advisories from WordPress and Clasifico for further updates and potential active exploitation campaigns.
漏洞利用状态
EPSS
0.10% (28% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-12882 is to immediately upgrade the Clasifico Listing plugin to version 2.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by restricting user role assignment during registration. This could involve modifying the plugin's code (if possible) or using a WordPress plugin that enforces stricter user role controls. Monitor WordPress logs for suspicious account creation attempts, particularly those involving administrator role assignments. After upgrading, verify the fix by attempting to register a new account and confirming that the 'listinguserrole' parameter is properly validated and does not allow setting the role to 'administrator'.
没有已知的补丁可用。请深入审查漏洞的详细信息,并根据您组织的风险承受能力采取缓解措施。最好卸载受影响的软件并寻找替代方案。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-12882 is a critical vulnerability in the Clasifico Listing WordPress plugin allowing unauthenticated attackers to gain administrator privileges during user registration by manipulating the 'listinguserrole' parameter. This grants them full control of the website.
You are affected if your WordPress site uses the Clasifico Listing plugin in versions 1.0.0 through 2.0. Check your plugin versions immediately and upgrade if necessary.
Upgrade the Clasifico Listing plugin to version 2.1 or later. If immediate upgrade is not possible, implement temporary workarounds like restricting user role assignment during registration.
While there are no confirmed reports of active exploitation at this time, the high CVSS score and ease of exploitation suggest a medium to high probability of exploitation in the near future.
Refer to the Clasifico Listing plugin's official website or WordPress plugin repository for the latest security advisory and update information related to CVE-2025-12882.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。