CVE-2025-9874 in Ultimate Classified Listings Plugin
Summary
by MITRE • 09/11/2025
The Ultimate Classified Listings plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6 via the 'uclwp_dashboard' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 09/11/2025
The CVE-2025-9874 vulnerability affects the Ultimate Classified Listings plugin for WordPress, representing a critical local file inclusion flaw that compromises server security. This vulnerability exists within the plugin's uclwp_dashboard shortcode functionality and impacts all versions up to and including 1.6, making it a widespread concern for WordPress administrators who have not yet updated their installations. The flaw specifically targets authenticated users with Contributor-level access or higher, which significantly broadens the potential attack surface since contributors can typically publish posts and upload media within WordPress environments.
The technical exploitation of this vulnerability relies on the improper handling of user-supplied input within the shortcode parameter processing. When an authenticated attacker with sufficient privileges submits a malicious payload through the uclwp_dashboard shortcode, the plugin fails to adequately sanitize or validate the input before using it in file inclusion operations. This allows attackers to specify arbitrary file paths that can be resolved to local files on the server, potentially including PHP files that contain malicious code. The vulnerability stems from a classic path traversal and file inclusion pattern where the application directly incorporates user input into file system operations without proper validation or escaping mechanisms.
The operational impact of this vulnerability extends beyond simple code execution capabilities, as it enables attackers to bypass existing access controls and potentially escalate their privileges within the WordPress environment. An authenticated attacker can leverage this flaw to read sensitive configuration files, database credentials, or other critical system information that might be accessible through the file system. The ability to execute arbitrary PHP code opens doors for persistent backdoor installation, data exfiltration, and further compromise of the WordPress installation. Additionally, if the environment allows for PHP file uploads, attackers can upload malicious PHP files and then leverage this LFI vulnerability to include and execute them, creating a complete code execution chain.
This vulnerability aligns with CWE-22, which describes improper limitation of a pathname to a restricted directory, and represents a direct violation of secure coding practices for input validation and file access control. From an ATT&CK framework perspective, this vulnerability maps to T1059.007 for execution through PHP and T1566 for initial access through a vulnerable web application. The attack chain typically begins with an authenticated user gaining access to a contributor account, which then provides the necessary privileges to exploit the LFI vulnerability and execute malicious code on the server. Organizations should prioritize immediate patching of this vulnerability and implement additional monitoring to detect suspicious file inclusion patterns within their WordPress installations. The remediation process requires updating to a patched version of the Ultimate Classified Listings plugin while also implementing proper input validation, least privilege access controls, and regular security audits to prevent similar vulnerabilities from emerging in other plugins or themes.