Primary

Context

Classified Pro WordPress Theme Missing Authorization Vulnerability Allowing Arbitrary Plugin Installation

Vulnerability

A vulnerability exists in the Classified Pro theme for WordPress, in all versions through 1.0.14, allowing unauthorized plugin installations. This issue arises from a missing capability check in the 'cwp_addons_update_plugin_cb' function. Authenticated attackers with subscriber-level access or higher can exploit this vulnerability to install arbitrary plugins on the affected site's server, potentially leading to remote code execution. The required nonce for this vulnerability is located in the CubeWP Framework plugin.

Impact

Exploitation of this vulnerability could allow for arbitrary plugin installation, which may be used to execute malicious code on the server.

Remediation

No known patch is available. It is recommended to review the vulnerability details and consider uninstalling the affected theme.

Added: Oct 16, 2025, 7:22 AM

Updated: Oct 16, 2025, 7:22 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

4.8

remediation

0.0

relevance

0.7

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

4.8

remediation

0.0

relevance

0.7

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Classified Pro WordPress Theme Missing Authorization Vulnerability Allowing Arbitrary Plugin Installation

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating