CVE-2025-1653

High

Published: 15 March 2025

Published

15 March 2025

Modified

08 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0015 35.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1653 is a high-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Stylemixthemes Ulisting. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 35.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-6 Least Privilege good match

prevent

Enforces least privilege to prevent low-privileged subscribers from escalating to administrator via unrestricted user meta updates in the AJAX action.

AC-3 Access Enforcement good match

prevent

Requires enforcement of access control policies on the stm_listing_profile_edit AJAX endpoint to restrict unauthorized modifications to privilege-related user meta.

SI-10 Information Input Validation good match

prevent

Mandates input validation on user meta fields submitted to the AJAX action to block updates to sensitive privilege attributes.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

The vulnerability directly enables privilege escalation by allowing authenticated low-privilege users to modify user meta and elevate to administrator role via the vulnerable AJAX action.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

The Directory Listings WordPress plugin – uListing plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.2.0. This is due to the stm_listing_profile_edit AJAX action not having enough restriction on the user meta that…

can be updated. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.

Deeper analysisAI

CVE-2025-1653 is a privilege escalation vulnerability in the uListing plugin for WordPress, also referred to as the Directory Listings WordPress plugin, affecting all versions up to and including 2.2.0. The flaw arises from insufficient restrictions in the stm_listing_profile_edit AJAX action, which fails to properly limit the user meta fields that can be updated, enabling unauthorized privilege changes. Published on 2025-03-15, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is linked to CWE-266.

Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. By sending a crafted request to the vulnerable AJAX endpoint, they can modify their own user meta to elevate their role to administrator, potentially granting full control over the WordPress site, including access to sensitive data, user management, and plugin/theme modifications.

Mitigation details are outlined in advisories available at the Wordfence threat intelligence page (https://www.wordfence.com/threat-intel/vulnerabilities/id/4181b26e-89c7-4020-a3d4-29bdc88d7438?source=cve) and the plugin's official WordPress.org listing (https://wordpress.org/plugins/ulisting/).