CVE-2025-1657

CVE-2025-1657 affects the uListing Directory Listings WordPress plugin, specifically versions up to and including 2.2.0. The vulnerability stems from a missing capability check on the stm_listing_ajax AJAX action, enabling unauthorized modification of data and PHP Object Injection. This flaw, classified under CWE-862 (Missing Authorization), allows attackers to update post meta data and inject PHP objects that may later be unserialized, earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Authenticated attackers with subscriber-level access or higher can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation enables modification of post metadata and injection of malicious PHP objects, potentially leading to high confidentiality, integrity, and availability impacts depending on the unserialized objects and site configuration.

Advisories note that a capability check was added in version 2.1.8, though the unserialize functionality remains present. Relevant references include the plugin's Trac changeset 3261184 in StmListing.php, the official WordPress plugin page, and Wordfence's threat intelligence details on the issue. Security practitioners should urge site owners to update to the latest version beyond 2.2.0 where possible and review AJAX handlers for similar authorization gaps.