CVE Alert: CVE-2025-9874 – webcodingplace – Ultimate Classified Listings
CVE-2025-9874
The Ultimate Classified Listings plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6 via the ‘uclwp_dashboard’ shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
AI Summary Analysis
Risk verdict
High risk: authenticated attackers with Contributor+ access could exploit remotely to achieve code execution; patching should be prioritised.
Why this matters
Local File Inclusion in the plugin enables an attacker to run arbitrary PHP on the server, potentially bypassing controls and exfiltrating data or gaining full site compromise. With no user interaction required and network-level access, a compromised account on vulnerable sites could lead to rapid, unauthorised control of the host at scale.
Most likely attack path
An attacker with a valid Contributor+ WordPress account uses the vulnerable shortcode context to trigger a local file inclusion, leading to arbitrary PHP execution. The CVSS indicates network access is possible but requires low-privilege authenticated access, so likelihood hinges on account compromise or targeting sites with exposed contributor accounts. Successful code execution could enable further privilege escalation, defacement, data access, or a web shell deployment, with potential lateral movement within the host environment.
Who is most exposed
WordPress sites using Ultimate Classified Listings (versions up to 1.6) in environments where contributor accounts exist and where plugin management is lax (e.g., shared hosting or multisite setups) are most at risk.
Detection ideas
- Unexpected PHP files written under the plugin or uploads directories.
- Web server logs showing requests that align with the uclwp_dashboard shortcode usage.
- PHP error/log entries referencing include/require failures or file inclusion events.
- Unusual account activity for Contributor+ users (new sessions, failed logins).
- Anomalous outbound connections from the PHP process.
Mitigation and prioritisation
- Patch to the latest plugin version or remove the plugin if unnecessary.
- Enforce least privilege: disable or tightly control Contributor+ accounts; disable plugin features not in use.
- Implement a WAF/IPS rule set to block suspicious local file inclusion patterns; restrict PHP execution in upload directories.
- Hardening: disable file uploads of PHP types or validate allowed file types; monitor and restrict file system write permissions in WP dirs.
- Change-management: test patch in staging before production; schedule urgent deployment with rollback plan.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
