CVE-2025-9874PHP Remote File Inclusion in Ultimate Classified Listings

CWE-98PHP Remote File InclusionCWE-502Deserialization of Untrusted Data4 documents4 sources
Severity
7.5HIGHNVD
CISA9.8
EPSS
0.1%
top 76.58%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Webcodingplace Ultimate Classified Listings
Timeline
PublishedSep 11

Description

The Ultimate Classified Listings plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6 via the 'uclwp_dashboard' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file type

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages1 packages

🔴Vulnerability Details

2
CVEList
Ultimate Classified Listings <= 1.6 - Authenticated (Contributor+) Local File Inclusion2025-09-11
GHSA
GHSA-6qrf-634w-3923: The Ultimate Classified Listings plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 12025-09-11

📋Vendor Advisories

1
CISA
Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability2025-03-26
CVE-2025-9874 — PHP Remote File Inclusion | cvebase