A high-severity vulnerability has been identified in the Classified Pro theme for WordPress, designated as CVE-2025-10706. This flaw allows a low-privileged authenticated attacker to install arbitrary plugins, potentially leading to a full website compromise. Successful exploitation could result in data theft, website defacement, or the distribution of malware, posing a significant risk to the organization's data and reputation.

The vulnerability exists within the cwp_addons_update_plugin_cb function of the Classified Pro theme. This function fails to perform a proper capability check, which is a security mechanism in WordPress to ensure a user has the required permissions to perform a specific action. Because this check is missing, an attacker with a low-level authenticated account (such as a subscriber) can send a specially crafted request to this function to install any plugin from the WordPress repository or a specified URL. This allows the attacker to install a malicious plugin and execute arbitrary code, effectively granting them administrative control over the website.

This is a High severity vulnerability with a CVSS score of 8.8. The business impact of a successful exploit is severe. An attacker gaining the ability to install plugins can achieve complete control over the affected WordPress site. This could lead to a wide range of negative consequences, including the theft of sensitive customer data and user credentials, financial loss through compromised e-commerce functions, significant reputational damage from website defacement, and the use of the compromised server to host phishing campaigns or malware.

Immediate Action: Immediately update the Classified Pro theme to the latest patched version provided by the vendor. After updating, conduct a thorough review of all installed plugins to ensure no unauthorized plugins were installed. Review all WordPress user accounts and enforce the principle of least privilege, removing any unnecessary accounts. If the theme is no longer required, it should be completely removed from the website.

Proactive Monitoring: Monitor web server access logs for any unusual POST requests to WordPress administrative functions, particularly those related to the cwp_addons_update_plugin_cb function. Implement file integrity monitoring on the wp-content/plugins/ directory to generate alerts for any unauthorized file changes or new folder additions. Monitor for unexpected outbound network connections from the web server, which could indicate a malicious plugin communicating with a command-and-control server.

Compensating Controls: If patching is not immediately possible, implement a Web Application Firewall (WAF) with a custom rule to block access to the vulnerable function's endpoint. Additionally, you can disable plugin and theme file modifications from the WordPress dashboard by adding define( 'DISALLOW_FILE_MODS', true ); to the wp-config.php file. This will prevent this specific attack vector but will also impact legitimate administrative actions.

Public Exploit Available: false

Given the high CVSS score of 8.8 and the potential for a complete system compromise from a low-privileged attacker, immediate remediation is strongly recommended. Organizations using the Classified Pro theme must prioritize applying the available patch to all affected WordPress instances. Although this vulnerability is not currently on the CISA KEV list, its severity and ease of exploitation warrant treating it as a critical threat.