CVE-2025-0763: 
WordPress vulnerability analysis and mitigation

The Ultimate Classified Listings plugin for WordPress contains a vulnerability (CVE-2025-0763) related to unauthorized modification of data, discovered and disclosed on September 11, 2025. The vulnerability affects all versions up to and including 1.6, impacting the plugin's custom fields functionality. This security issue stems from a missing capability check in the savecustomfields function (NVD CVE).

The vulnerability is classified with a CVSS v3.1 Base Score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The security flaw is categorized as CWE-862 (Missing Authorization), specifically relating to the absence of proper capability checks in the savecustomfields function. This allows authenticated users with minimal privileges to modify plugin settings that should be restricted (Wordfence Analysis).

The vulnerability enables authenticated attackers with Subscriber-level access or higher to modify plugin custom fields, potentially compromising the integrity of the classified listings data. This unauthorized access to modify custom fields could lead to data manipulation within the plugin's functionality (NVD CVE).

Website administrators running the Ultimate Classified Listings plugin should update to a version newer than 1.6 once available. Until then, it is recommended to review and potentially restrict user roles with access to the plugin's functionality (NVD CVE).