CVE-2025-1657
Published: 15 March 2025
Summary
CVE-2025-1657 is a high-severity Missing Authorization (CWE-862) vulnerability in Stylemixthemes Ulisting. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces required capability checks on the stm_listing_ajax AJAX action to prevent unauthorized modification of post meta data by subscriber-level users.
Applies least privilege to restrict subscriber-level access to sensitive AJAX functions that allow data updates and object injection.
Validates inputs to AJAX handlers to block malicious PHP object injection that could lead to unserialization exploits.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in a public-facing WordPress plugin directly enables exploitation of the application (T1190) and unauthorized modification of stored post meta data (T1565.001) due to the missing capability check on the AJAX action; PHP object injection may facilitate further impacts but lacks a direct technique mapping without additional details on outcomes.
NVD Description
The Directory Listings WordPress plugin – uListing plugin for WordPress is vulnerable to unauthorized modification of data and PHP Object Injection due to a missing capability check on the stm_listing_ajax AJAX action in all versions up to, and including, 2.2.0.…
more
This makes it possible for authenticated attackers, with subscriber-level access and above, to update post meta data and inject PHP Objects that may be unserialized. A capability check was added in 2.1.8, but the unserialize is still present.
Deeper analysisAI
CVE-2025-1657 affects the uListing Directory Listings WordPress plugin, specifically versions up to and including 2.2.0. The vulnerability stems from a missing capability check on the stm_listing_ajax AJAX action, enabling unauthorized modification of data and PHP Object Injection. This flaw, classified under CWE-862 (Missing Authorization), allows attackers to update post meta data and inject PHP objects that may later be unserialized, earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Authenticated attackers with subscriber-level access or higher can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation enables modification of post metadata and injection of malicious PHP objects, potentially leading to high confidentiality, integrity, and availability impacts depending on the unserialized objects and site configuration.
Advisories note that a capability check was added in version 2.1.8, though the unserialize functionality remains present. Relevant references include the plugin's Trac changeset 3261184 in StmListing.php, the official WordPress plugin page, and Wordfence's threat intelligence details on the issue. Security practitioners should urge site owners to update to the latest version beyond 2.2.0 where possible and review AJAX handlers for similar authorization gaps.
Details
- CWE(s)