CVE-2025-12882
Published: 19 February 2026
Summary
CVE-2025-12882 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Themeforest (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Establishes processes for account creation, including role assignment during registration, preventing unauthenticated users from arbitrarily setting elevated privileges like administrator.
Validates user-supplied inputs such as the 'listing_user_role' parameter to ensure only authorized roles are accepted during account registration.
Enforces least privilege by ensuring newly registered accounts are assigned only the minimal roles necessary, blocking self-escalation to administrator.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables unauthenticated exploitation of a public-facing WordPress plugin (T1190) to achieve privilege escalation to administrator via arbitrary user role assignment (T1068).
NVD Description
The Clasifico Listing plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.0. This is due to the plugin allowing users who are registering new accounts to set their own role by supplying the 'listing_user_role'…
more
parameter. This makes it possible for unauthenticated attackers to gain elevated privileges by registering an account with the administrator role.
Deeper analysisAI
CVE-2025-12882 is a privilege escalation vulnerability in the Clasifico Listing plugin for WordPress, affecting versions up to and including 2.0. The issue arises because the plugin allows users registering new accounts to arbitrarily set their own user role by supplying the 'listing_user_role' parameter during registration. Classified under CWE-269 (Improper Privilege Management), it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical severity due to high impacts on confidentiality, integrity, and availability.
Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By registering a new account and setting the 'listing_user_role' parameter to 'administrator', attackers gain elevated administrator privileges on the WordPress site, enabling full control such as installing malicious plugins, modifying content, accessing sensitive data, or executing arbitrary code.
Advisories providing further details and potential mitigation steps, including patches or workarounds, are available from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/70fb90f0-1ca4-41fe-8638-cdd05747adae?source=cve and the plugin's ThemeForest page at https://themeforest.net/item/clasifico-classified-ads-wordpress-theme/33539482. Security practitioners should review these sources for update instructions and consider disabling the plugin until remediation.
Details
- CWE(s)