CVE-2025-10706
Published: 16 October 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-10706 is a vulnerability in the Classified Pro theme for WordPress, affecting all versions up to and including 1.0.14. It arises from a missing capability check in the 'cwp_addons_update_plugin_cb' function, enabling unauthorized plugin installation. The required nonce for the vulnerability is located in the CubeWP Framework plugin. The issue is rated with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-862 (Missing Authorization).
Authenticated attackers with subscriber-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows them to install arbitrary plugins on the affected WordPress site's server, which may lead to remote code execution depending on the plugins installed.
Mitigation details are available in related advisories, including the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/2954583e-4ebe-4658-b132-0085f2b1cf08?source=cve and the Classified Pro theme page on ThemeForest at https://themeforest.net/item/classifiedpro-recommerce-classified-wordpress-theme/44528010.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability allows exploitation of a public-facing WordPress application (T1190) via missing authorization, enabling low-privileged authenticated users (subscriber+) to install arbitrary plugins, facilitating privilege escalation (T1068).