CVE-2025-64242

MEDIUM
2025-12-16 [email protected]
4.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 16, 2025 - 09:15 nvd
MEDIUM 4.3

Tags

WordPress PHP Authentication Bypass

Description

Missing Authorization vulnerability in Merv Barrett Easy Property Listings easy-property-listings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Property Listings: from n/a through <= 3.5.21.

Analysis

Inadequately configured access control in Easy Property Listings WordPress plugin versions 3.5.21 and earlier allows authenticated users to access sensitive information they should not be authorized to view. An authenticated attacker with user-level privileges can bypass authorization checks to read property listing data or other restricted content due to missing authorization validation on API endpoints or functionality. EPSS exploitation probability is very low at 0.04%, and no public exploit code has been identified, indicating limited real-world threat despite the authentication-bypass tag.

Technical Context

Easy Property Listings is a WordPress plugin (CPE: a:merv_barrett:easy_property_listings) that manages residential and commercial property listings. The vulnerability stems from CWE-862 (Missing Authorization), a common weakness where the application fails to enforce proper access control checks before allowing authenticated users to access restricted resources. Rather than validating whether a specific user has permission to view, edit, or interact with a particular property listing or administrative function, the plugin relies on incorrect or missing authorization logic. This allows any authenticated user (including those with minimal privileges) to escalate their access beyond their intended scope. The issue likely affects REST API endpoints or internal functions that process property data without verifying the requester's actual authorization level.

Affected Products

Easy Property Listings WordPress plugin, versions 3.5.21 and earlier (CPE: a:merv_barrett:easy_property_listings). The plugin is distributed through WordPress.org and is commonly used by real estate agencies to manage property listings. Patch Stack has documented the vulnerability affecting version 3.5.15 and earlier; version 3.5.21 is the latest confirmed vulnerable release per the CVE description.

Remediation

Update Easy Property Listings to version 3.5.22 or later, which should include authorization control fixes. Users should access the WordPress plugin dashboard, navigate to Plugins, and check for available updates, or manually download the patched version from wordpress.org/plugins/easy-property-listings/. As an interim mitigation, site administrators should review user role assignments and restrict plugin access via role management until the patch is deployed. Verify that only trusted staff have 'Editor' or higher roles. For detailed advisory information and confirmation of the patched version, consult the Patch Stack vulnerability database at https://patchstack.com/database/Wordpress/Plugin/easy-property-listings/vulnerability/wordpress-easy-property-listings-plugin-3-5-15-broken-access-control-vulnerability.

Priority Score

22
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +22
POC: 0

Share

CVE-2025-64242 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy