CVE-2025-1653: 
WordPress vulnerability analysis and mitigation

The Directory Listings WordPress plugin – uListing contains a privilege escalation vulnerability (CVE-2025-1653) affecting all versions up to and including 2.1.7. The vulnerability was discovered and disclosed on March 14, 2025. The plugin has been temporarily closed pending a full security review (WordPress Plugin).

The vulnerability exists in the stmlistingprofile_edit AJAX action which lacks proper restrictions on user meta updates. This insufficient authorization control is classified as CWE-266 (Incorrect Privilege Assignment). The vulnerability has received a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (Wordfence Intel).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to elevate their privileges to administrator level. This could potentially give attackers full control over the WordPress site, allowing them to modify content, install malicious plugins, or access sensitive information (NVD Database).

The WordPress.org plugin repository has temporarily closed the plugin as of March 13, 2025, pending a full security review. Site administrators using the affected versions should immediately disable the plugin until a patched version becomes available (WordPress Plugin).