A high-severity vulnerability has been identified in the Ultimate Classified Listings plugin for WordPress, which could allow an unauthenticated attacker to access sensitive files on the web server. Successful exploitation could lead to the disclosure of confidential information, such as database credentials, or potentially enable further attacks against the server. Organizations using this plugin are urged to apply the recommended updates immediately to mitigate the risk of data compromise.

The vulnerability is a Local File Inclusion (LFI) flaw. It exists because the plugin fails to properly sanitize user-supplied input that is used in a file path. An unauthenticated remote attacker can exploit this by crafting a special request that manipulates the input to include path traversal sequences (e.g., ../). This tricks the application into accessing and displaying the contents of arbitrary files on the server's local file system that are readable by the web server process, such as wp-config.php or /etc/passwd.

This vulnerability is rated as High severity with a CVSS score of 7.5. Exploitation could have significant business consequences, including the theft of sensitive data such as database credentials, API keys, and other configuration secrets stored on the server. This could lead to a full database compromise, a data breach of customer information, website defacement, or the complete takeover of the affected website. The compromised server could then be used as a foothold to launch further attacks against the internal network, posing a substantial risk to the organization's security posture and reputation.

Immediate Action:

• Immediately identify all WordPress instances running the "Ultimate Classified Listings" plugin.
• Update the plugin to the latest patched version as recommended by the vendor.
• If the plugin is not essential for business operations, consider deactivating and removing it to eliminate the attack surface.
• Review WordPress security settings to ensure they adhere to hardening best practices.

Proactive Monitoring:

• Monitor web server and WAF (Web Application Firewall) logs for requests containing path traversal sequences like ../, ..\/, or absolute file paths targeting sensitive files (e.g., wp-config.php, /etc/passwd, /etc/shadow).
• Look for anomalous outbound traffic from web servers, which could indicate a successful compromise.
• Implement file integrity monitoring on critical WordPress core and configuration files to detect unauthorized changes.

Compensating Controls:

• If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block LFI and path traversal attack patterns.
• Harden the web server's file system permissions to ensure the web server user account has read access only to the files and directories it absolutely requires.
• Disable PHP functions that are commonly abused in LFI attacks (e.g., file_get_contents, include, require) if they are not essential for the application's functionality, though this may cause site instability.

Public Exploit Available: false

Given the high severity (CVSS 7.5) and the critical nature of the potential impact (sensitive data exposure), it is strongly recommended that organizations prioritize the immediate remediation of this vulnerability. All instances of the Ultimate Classified Listings plugin must be updated to the latest version without delay. Although this CVE is not currently listed on the CISA KEV list, its characteristics make it an attractive target for widespread, opportunistic attacks against vulnerable WordPress sites. Proactive patching is the most effective defense against potential compromise.