CVE-2025-1653

CVE-2025-1653 is a privilege escalation vulnerability in the uListing plugin for WordPress, also referred to as the Directory Listings WordPress plugin, affecting all versions up to and including 2.2.0. The flaw arises from insufficient restrictions in the stm_listing_profile_edit AJAX action, which fails to properly limit the user meta fields that can be updated, enabling unauthorized privilege changes. Published on 2025-03-15, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is linked to CWE-266.

Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. By sending a crafted request to the vulnerable AJAX endpoint, they can modify their own user meta to elevate their role to administrator, potentially granting full control over the WordPress site, including access to sensitive data, user management, and plugin/theme modifications.

Mitigation details are outlined in advisories available at the Wordfence threat intelligence page (https://www.wordfence.com/threat-intel/vulnerabilities/id/4181b26e-89c7-4020-a3d4-29bdc88d7438?source=cve) and the plugin's official WordPress.org listing (https://wordpress.org/plugins/ulisting/).