CVE-2025-12577

The Listar – Directory Listing & Classifieds WordPress Plugin is vulnerable to unauthorized data modification due to a missing capability check on the /wp-json/listar/v1/place/save REST API endpoint. This affects all versions up to and including 3.0.0. The endpoint lacks proper authorization, allowing authenticated users with Subscriber-level access or above to update listing details without the required permissions [1].

An attacker who is authenticated as a Subscriber or higher can send crafted requests to the /wp-json/listar/v1/place/save endpoint. Since there is no capability check, the request is processed and modifies listing data. No additional privileges or complex conditions are needed beyond a valid WordPress account [1].

Successful exploitation allows an authenticated attacker to alter any listing details within the plugin. This could include changing titles, descriptions, prices, contact information, or other fields, potentially leading to misinformation, fraudulent listings, or reputational damage to legitimate listing owners [1].

The plugin has been closed on the WordPress plugin repository as of December 4, 2025, and is no longer available for download. Users are advised to remove or replace the plugin, as no official patch has been released [1].