CVE-2025-12574

The Listar – Directory Listing & Classifieds WordPress Plugin is vulnerable due to a missing capability check on the /wp-json/listar/v1/place/delete REST API endpoint. In all versions up to and including 3.0.0, the endpoint does not verify that the requesting user has the necessary permissions to delete posts, effectively bypassing WordPress's authorization framework [1]. This is a classic case of missing authorization (CWE-862) in a REST API handler.

Exploitation requires an authenticated account with at least Subscriber-level access. No special privileges beyond standard authentication are needed, as the endpoint accepts requests from any logged-in user. An attacker can send a crafted HTTP POST request to the vulnerable endpoint, specifying the ID of any post to delete. The request will be processed without checking if the user is an administrator, editor, or author of the post [1].

Successful exploitation allows an authenticated attacker to delete arbitrary posts on the WordPress site, including published pages, posts, or custom post types managed by the plugin. Data loss can be significant, leading to content removal and potential defacement or disruption of the site's listing functionality.

The plugin was closed on December 4, 2025, and is no longer available for download [1]. Users who have installed the plugin should immediately remove or deactivate it. No patch is available because the plugin is discontinued. Affected sites should migrate to an alternative directory listing plugin [1].