CVE-2025-12953: 
WordPress vulnerability analysis and mitigation

The Classified Listing – AI-Powered Classified ads & Business Directory Plugin for WordPress contains a missing authorization vulnerability (CVE-2025-12953) discovered on November 10, 2025. This vulnerability affects all versions up to and including 5.2.0. The issue stems from missing capability checks on several AJAX functions related to listing type management (NVD, Rapid7).

The vulnerability is caused by missing capability checks on three AJAX functions: 'rtclajaxaddlistingtype', 'rtclajaxupdatelistingtype', and 'rtclajaxdeletelistingtype'. The CVSS v3.1 base score is 4.3 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The vulnerability is classified as CWE-862: Missing Authorization (NVD).

The vulnerability allows authenticated attackers with subscriber-level access or higher to add, update, or delete listing types in the plugin. This unauthorized access to listing type management functions could lead to manipulation of the website's classified listing structure (Wordfence).

The vulnerability has been patched in version 5.2.1 of the Classified Listing plugin. The fix implements proper capability checks requiring administrator privileges for listing type management functions. Users are advised to update to version 5.2.1 or later (WordPress Plugin).