vulnerability

WordPress Theme: classified-pro: CVE-2025-10706: Missing Authorization

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
9	(AV:N/AC:L/Au:S/C:C/I:C/A:C)	Oct 15, 2025	Dec 8, 2025	Dec 8, 2025

Severity

CVSS

(AV:N/AC:L/Au:S/C:C/I:C/A:C)

Published

Oct 15, 2025

Added

Dec 8, 2025

Modified

Dec 8, 2025

Description

The Classified Pro theme for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check in the 'cwp_addons_update_plugin_cb' function in all versions up to, and including, 1.0.14. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins on the affected site's server which may make remote code execution possible. Note: The required nonce for the vulnerability is in the CubeWP Framework plugin.

Solution

classified-pro-theme-cve-2025-10706

References

URL-https://www.cve.org/CVERecord?id=CVE-2025-10706
URL-https://www.wordfence.com/threat-intel/vulnerabilities/id/2954583e-4ebe-4658-b132-0085f2b1cf08?source=api-prod
CVE-2025-10706
https://attackerkb.com/topics/CVE-2025-10706
CWE-862

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today