Cyber Posture

CVE-2025-12882

Critical

Published: 19 February 2026

Published
19 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0011 28.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The Clasifico Listing plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.0. This is due to the plugin allowing users who are registering new accounts to set their own role by supplying the 'listing_user_role'…

more

parameter. This makes it possible for unauthenticated attackers to gain elevated privileges by registering an account with the administrator role.

Mitigating Controls (NIST 800-53 r5)AI

AC-2 Account Management good match
prevent

Establishes processes for account creation, including role assignment during registration, preventing unauthenticated users from arbitrarily setting elevated privileges like administrator.

SI-10 Information Input Validation good match
prevent

Validates user-supplied inputs such as the 'listing_user_role' parameter to ensure only authorized roles are accepted during account registration.

AC-6 Least Privilege good match
prevent

Enforces least privilege by ensuring newly registered accounts are assigned only the minimal roles necessary, blocking self-escalation to administrator.

Security SummaryAI

CVE-2025-12882 is a privilege escalation vulnerability in the Clasifico Listing plugin for WordPress, affecting versions up to and including 2.0. The issue arises because the plugin allows users registering new accounts to arbitrarily set their own user role by supplying the 'listing_user_role' parameter during registration. Classified under CWE-269 (Improper Privilege Management), it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical severity due to high impacts on confidentiality, integrity, and availability.

Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By registering a new account and setting the 'listing_user_role' parameter to 'administrator', attackers gain elevated administrator privileges on the WordPress site, enabling full control such as installing malicious plugins, modifying content, accessing sensitive data, or executing arbitrary code.

Advisories providing further details and potential mitigation steps, including patches or workarounds, are available from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/70fb90f0-1ca4-41fe-8638-cdd05747adae?source=cve and the plugin's ThemeForest page at https://themeforest.net/item/clasifico-classified-ads-wordpress-theme/33539482. Security practitioners should review these sources for update instructions and consider disabling the plugin until remediation.

Details

CWE(s)
CWE-269

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

The vulnerability enables unauthenticated exploitation of a public-facing WordPress plugin (T1190) to achieve privilege escalation to administrator via arbitrary user role assignment (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References