WP-Safety

Ultimate Classified Listings Security & Risk Analysis

wordpress.org/plugins/ultimate-classified-listings

A simple yet complete classifieds and listings system for WordPress.

20 active installs v1.7 PHP + WP 3.5+ Updated Dec 4, 2025
classifieds-adseventjoblistingsrent
34
D · High Risk
CVEs total9
Unpatched3
Last CVESep 10, 2025
Plugin page Download
Safety Verdict

Is Ultimate Classified Listings Safe to Use in 2026?

High Risk

Score 34/100

Ultimate Classified Listings carries significant security risk with 9 known CVEs, 3 still unpatched. Consider switching to a maintained alternative.

9 known CVEs 3 unpatched Last CVE: Sep 10, 2025Updated 4mo ago
Risk Assessment

The ultimate-classified-listings plugin v1.7 presents a moderate to high security risk. While it shows some positive security practices, such as a high percentage of properly escaped outputs and the use of prepared statements for SQL queries, significant concerns arise from its attack surface and vulnerability history. A substantial portion of AJAX handlers lack proper authorization checks, creating a large entry point for potential unauthorized actions. Taint analysis, although not revealing critical or high severity issues in this specific scan, identified flows with unsanitized paths, which could be exacerbated by a lack of authorization.

The plugin's historical vulnerability data is a major red flag. With 9 known CVEs, including 3 currently unpatched high-severity vulnerabilities, and common types like Missing Authorization, CSRF, PHP Remote File Inclusion, and XSS, the plugin has a clear pattern of exploitable weaknesses. The recent vulnerability in September 2025 further indicates ongoing security issues. This history suggests a recurring inability to consistently secure the plugin against common web vulnerabilities.

In conclusion, the plugin has a concerning security posture. The combination of an unprotected attack surface and a history of significant vulnerabilities, particularly unpatched high-severity ones, outweighs its positive aspects. Users of this plugin should be aware of the elevated risk and consider alternatives or ensure strict patching and monitoring practices are in place.

Key Concerns

  • 13 AJAX handlers without auth checks
  • 3 currently unpatched high-severity CVEs
  • 6 flows with unsanitized paths
  • Large attack surface (22 total, 13 unprotected)
  • History of 9 CVEs, including RFI and XSS
  • Missing nonce checks (2 vs 17 AJAX handlers)
  • Bundled library Select2 may have vulnerabilities
Vulnerabilities
9

Ultimate Classified Listings Security Vulnerabilities

CVEs by Year

5 CVEs in 2024 · unpatched
2024
4 CVEs in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

High
3
Medium
6

9 total CVEs

CVE-2025-9874high · 7.5Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Ultimate Classified Listings <= 1.6 - Authenticated (Contributor+) Local File Inclusion

Sep 10, 2025 Patched in 1.7 (57d)
CVE-2025-0763medium · 4.3Missing Authorization

Ultimate Classified Listings <= 1.7 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update

Sep 10, 2025Unpatched
CVE-2024-13748medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ultimate Classified Listings <= 1.4 Authenticated (Administrator+) Stored Cross-Site Scripting via Title Parameter

Feb 19, 2025 Patched in 1.5 (2d)
CVE-2024-13753high · 8.1Cross-Site Request Forgery (CSRF)

Ultimate Classified Listings <= 1.5 - Cross-Site Request Forgery to Account Takeover

Feb 19, 2025 Patched in 1.6 (61d)
CVE-2024-52487medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ultimate Classified Listings <= 1.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Nov 19, 2024Unpatched
CVE-2024-52448high · 8.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Ultimate Classified Listings <= 1.6 - Authenticated (Contributor+) Local File Inclusion

Nov 18, 2024Unpatched
CVE-2024-6529medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ultimate Classified Listings <= 1.3 - Reflected Cross-Site Scripting

Jul 11, 2024 Patched in 1.4 (5d)
CVE-2024-5883medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ultimate Classified Listings <= 1.2 - Reflected Cross-Site Scripting

Jul 8, 2024 Patched in 1.3 (8d)
CVE-2024-5882medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ultimate Classified Listings <= 1.3 - Unauthenticated Local File Inclusion

Jul 8, 2024 Patched in 1.4 (8d)
Code Analysis
Analyzed Mar 16, 2026

Ultimate Classified Listings Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
41
754 escaped
Nonce Checks
2
Capability Checks
9
File Operations
0
External Requests
3
Bundled Libraries
1

Bundled Libraries

Select2

Output Escaping

95% escaped795 total outputs
Data Flows
6 unsanitized

Data Flow Analysis

14 flows6 with unsanitized paths
contact_seller (classes\class-email.php:159)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
13 unprotected

Ultimate Classified Listings Attack Surface

Entry Points22
Unprotected13

AJAX Handlers 17

authwp_ajax_uclwp_save_field_sectionsclasses\class-admin-settings.php:17
authwp_ajax_uclwp_save_custom_fieldsclasses\class-admin-settings.php:18
authwp_ajax_uclwp_reset_custom_fieldsclasses\class-admin-settings.php:19
authwp_ajax_wcp_uclwp_save_settingsclasses\class-admin-settings.php:20
authwp_ajax_ucl_deny_sellerclasses\class-admin-settings.php:23
authwp_ajax_ucl_approve_sellerclasses\class-admin-settings.php:24
authwp_ajax_uclwp_contact_sellerclasses\class-email.php:17
noprivwp_ajax_uclwp_contact_sellerclasses\class-email.php:18
authwp_ajax_uclwp_compare_listingsclasses\class-front-templates.php:27
noprivwp_ajax_uclwp_compare_listingsclasses\class-front-templates.php:28
authwp_ajax_uclwp_search_listingclasses\class-shortcodes.php:15
noprivwp_ajax_uclwp_search_listingclasses\class-shortcodes.php:16
noprivwp_ajax_uclwp_seller_loginclasses\class-shortcodes.php:18
noprivwp_ajax_uclwp_seller_registerclasses\class-shortcodes.php:19
authwp_ajax_uclwp_create_listing_frontendclasses\class-shortcodes.php:21
authwp_ajax_uclwp_update_profileclasses\class-shortcodes.php:22
authwp_ajax_uclwp_delete_listingclasses\class-shortcodes.php:23

Shortcodes 5

[uclwp_dashboard] classes\class-shortcodes.php:9
[uclwp_categories] classes\class-shortcodes.php:10
[uclwp_listings] classes\class-shortcodes.php:11
[uclwp_search_form] classes\class-shortcodes.php:12
[uclwp_search_results] classes\class-shortcodes.php:13
WordPress Hooks 35
actionadmin_menuclasses\class-admin-settings.php:9
actionadmin_enqueue_scriptsclasses\class-admin-settings.php:10
actionadd_meta_boxesclasses\class-admin-settings.php:11
actionsave_postclasses\class-admin-settings.php:12
actionuclwp_listing_category_add_form_fieldsclasses\class-admin-settings.php:27
actioncreated_uclwp_listing_categoryclasses\class-admin-settings.php:28
actionuclwp_listing_category_edit_form_fieldsclasses\class-admin-settings.php:29
actionedited_uclwp_listing_categoryclasses\class-admin-settings.php:30
actionpre_get_postsclasses\class-admin-settings.php:31
actiontransition_post_statusclasses\class-admin-settings.php:33
filterwp_kses_allowed_htmlclasses\class-admin-settings.php:34
actionuclwp_new_seller_registeredclasses\class-email.php:10
actionuclwp_new_seller_approvedclasses\class-email.php:11
actionuclwp_new_seller_rejectedclasses\class-email.php:12
actionuclwp_new_listing_submittedclasses\class-email.php:13
actionuclwp_new_listing_approvedclasses\class-email.php:14
filtertemplate_includeclasses\class-front-templates.php:10
actionwp_enqueue_scriptsclasses\class-front-templates.php:11
actionuclwp_listing_contentclasses\class-front-templates.php:13
actionuclwp_listing_sidebarclasses\class-front-templates.php:14
actionuclwp_paginationclasses\class-front-templates.php:17
actionuclwp_listing_boxclasses\class-front-templates.php:19
actionuclwp_archive_topbarclasses\class-front-templates.php:20
actionuclwp_featured_imageclasses\class-front-templates.php:21
filterget_the_archive_titleclasses\class-front-templates.php:23
actionwp_footerclasses\class-front-templates.php:25
actioninitclasses\class-register-cpt.php:9
filterpost_updated_messagesclasses\class-register-cpt.php:10
filterload-options-permalink.phpclasses\class-register-cpt.php:12
filterwp_dropdown_usersclasses\class-register-cpt.php:14
actionadmin_initclasses\class-ucl-init.php:12
filteruse_block_editor_for_post_typeclasses\class-ucl-init.php:13
actionplugins_loadedclasses\class-ucl-init.php:14
filterajax_query_attachments_argsclasses\class-ucl-init.php:17
filteruser_has_capclasses\class-ucl-init.php:18
Maintenance & Trust

Ultimate Classified Listings Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 4, 2025
PHP min version
Downloads3K

Community Trust

Rating100/100
Number of ratings2
Active installs20
Alternatives

Ultimate Classified Listings Alternatives

Easy Property Listings

Easy Property Listings

easy-property-listings

C
62

Fast. Flexible. Forward-thinking solution for real estate agents using WordPress. Built for scale, listing management and works with any theme.

5K 1 unpatched
MAS Companies For WP Job Manager

MAS Companies For WP Job Manager

mas-wp-job-manager-company

A
99

MAS Companies For WP Job Manager is a free plugin that allow you to manage companies from the WordPress admin panel, and allow employers to post their &hellip;

2K 1 CVE
WP All Import – Job Listing Import for WP Job Manager

WP All Import – Job Listing Import for WP Job Manager

wp-job-manager-xml-csv-listings-import

A
100

Drag & drop to import job listings from any CSV, XML, Excel, or Google Sheets file of any size or format. Supports company info, locations, applic &hellip;

2K No CVEs
WPCasa

WPCasa

wpcasa

A
90

Flexible WordPress plugin to create professional real estate websites and manage property listings with ease.

1K 4 CVEs
WP All Import – Listings Import for Listify

WP All Import – Listings Import for Listify

listify-xml-csv-listings-import

A
100

Drag & drop to import directory listings from any CSV, XML, Excel, or Google Sheets file of any size or format. Supports images, categories, locat &hellip;

400 No CVEs
Developer Profile

Ultimate Classified Listings Developer Profile

webcodingplace

4 plugins · 5K total installs

76
trust score
Avg Security Score
83/100
Avg Patch Time
49 days
View full developer profile
Detection Fingerprints

How We Detect Ultimate Classified Listings

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/ultimate-classified-listings/assets/css/admin-style.css/wp-content/plugins/ultimate-classified-listings/assets/css/custom-fields.css/wp-content/plugins/ultimate-classified-listings/assets/css/fields-builder.css/wp-content/plugins/ultimate-classified-listings/assets/css/listing-styles.css/wp-content/plugins/ultimate-classified-listings/assets/css/metabox-style.css/wp-content/plugins/ultimate-classified-listings/assets/css/page-settings.css/wp-content/plugins/ultimate-classified-listings/assets/js/admin-script.js/wp-content/plugins/ultimate-classified-listings/assets/js/custom-fields.js+3 more
Script Paths
/wp-content/plugins/ultimate-classified-listings/assets/js/admin-script.js/wp-content/plugins/ultimate-classified-listings/assets/js/custom-fields.js/wp-content/plugins/ultimate-classified-listings/assets/js/fields-builder.js/wp-content/plugins/ultimate-classified-listings/assets/js/listing-script.js/wp-content/plugins/ultimate-classified-listings/assets/js/metabox-script.js
Version Parameters
ultimate-classified-listings/assets/css/admin-style.css?ver=ultimate-classified-listings/assets/css/custom-fields.css?ver=ultimate-classified-listings/assets/css/fields-builder.css?ver=ultimate-classified-listings/assets/css/listing-styles.css?ver=ultimate-classified-listings/assets/css/metabox-style.css?ver=ultimate-classified-listings/assets/css/page-settings.css?ver=ultimate-classified-listings/assets/js/admin-script.js?ver=ultimate-classified-listings/assets/js/custom-fields.js?ver=ultimate-classified-listings/assets/js/fields-builder.js?ver=ultimate-classified-listings/assets/js/listing-script.js?ver=ultimate-classified-listings/assets/js/metabox-script.js?ver=

HTML / DOM Fingerprints

CSS Classes
uclwp-fields-builder-wrapuclwp-fields-sections-wrapuclwp-listing-submit-formuclwp-listing-details
HTML Comments
<!-- UCLWP - Fields Builder --><!-- UCLWP - Fields Sections --><!-- UCLWP - Settings Page -->
Data Attributes
data-field-iddata-section-iddata-listing-id
JS Globals
uclwp_admin_ajax_objectuclwp_fields_builder_object
REST Endpoints
/wp-json/uclwp/v1/settings/wp-json/uclwp/v1/fields/wp-json/uclwp/v1/sections
Shortcode Output
[uclwp_listing_form][uclwp_listings][uclwp_listing_details]
FAQ

Frequently Asked Questions about Ultimate Classified Listings