CVE-2025-5811 MEDIUM

CVE-2025-5811: Listly: Listicles For WordPress <= 2.7 - Unauthenticated Arbitrary Transient Deletion

Vendor Milanmk

Product Listly: Listicles For WordPress

Weakness CWE-862 · Missing authorization

Published July 18, 2025

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Listly: Listicles For WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the Init() function in all versions up to, and including, 2.7. This makes it possible for unauthenticated attackers to delete arbitrary transient values on the WordPress site.

Explanation of Vulnerability in Simple Terms

02Summary

The Listly plugin for WordPress versions 2.7 and earlier does not properly check user permissions before allowing certain actions. An unauthenticated attacker can modify content on the site without authorization. Site administrators should update the plugin immediately to a version newer than 2.7.

What an attacker can do

03Attacker Capabilities

Modify site content without logging in or having permission to do so.

Potential impact on your site

04Site Impact

Attackers can alter posts, pages, or other content without your knowledge or consent.

Conditions required to exploit

05Prerequisites

Network access to the WordPress site; no authentication or user interaction required.

Key dates

06Disclosure timeline

July 18, 2025 CVE published

April 8, 2026 Record updated

External resources

07References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-5811 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities