Unauthenticated attackers can gain full administrative control over WordPress sites using the Clasifico Listing plugin by exploiting a flaw in the user registration process.

The plugin allows users to specify their own role during registration via the listing_user_role parameter. Because this input is not restricted, an unauthenticated attacker can register an account and assign themselves the 'administrator' role.

This vulnerability leads to a total loss of site control. An attacker can access all administrative functions, potentially leading to data breaches, site defacement, and the permanent lockout of legitimate administrators. The CVSS score of 9.8 confirms the critical nature of this flaw.

Immediate Action: Update the Clasifico Listing plugin to a version higher than 2.0 immediately to remove the ability for users to set their own roles.

Proactive Monitoring: Regularly audit the WordPress user database for unauthorized accounts holding administrative or high-level privileges.

Compensating Controls: Temporarily disable new user registration in the WordPress settings until the plugin is updated and verified.

Public Exploit Available: No

The ability for a remote, unauthenticated user to grant themselves administrative rights is a catastrophic failure of security logic. Update the plugin immediately and perform a thorough audit of all administrative accounts.