CVE-2025-10706: 
WordPress vulnerability analysis and mitigation

The Classified Pro theme for WordPress (CVE-2025-10706) contains a vulnerability related to unauthorized plugin installation, discovered and disclosed on October 15, 2025. The vulnerability affects all versions up to and including 1.0.14 of the Classified Pro theme. This security issue was identified by researcher István Márton (Wordfence).

The vulnerability stems from a missing capability check in the 'cwpaddonsupdateplugincb' function, classified as CWE-862 (Missing Authorization). The security issue has been assigned a CVSS v3.1 base score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The required nonce for exploiting this vulnerability is present in the CubeWP Framework plugin (NVD).

The vulnerability allows authenticated attackers with subscriber-level access or higher to install arbitrary plugins on the affected site's server. This capability could potentially lead to remote code execution, significantly compromising the security of the affected WordPress installations (NVD).

Users of the Classified Pro WordPress theme should upgrade to a version newer than 1.0.14 when available. Until a patch is released, site administrators should carefully review and limit user access privileges, particularly for subscriber-level accounts (NVD).