CVE-2025-60103

Vulnerability

Overview

CVE-2025-60103 is a Missing Authorization vulnerability in the WordPress ListingPro plugin (listingpro-plugin) by CridioStudio, affecting versions from n/a through 2.9.8. The issue stems from an incorrectly configured access control security level, which allows functions to execute without proper authorization checks, such as missing nonce tokens or capability validation [1].

Exploitation

Details

The vulnerability can be exploited by an unauthenticated or low-privileged attacker who can send crafted requests to the affected plugin endpoints. Since the access control is broken, the plugin fails to verify whether the user has the necessary privileges to trigger certain higher-privileged actions. This type of flaw is commonly leveraged in mass-exploit campaigns targeting thousands of websites simultaneously [1].

Impact

An attacker successfully exploiting this vulnerability could perform unauthorized actions that should be restricted to higher-privileged users. Depending on the misconfigured functions, this might include modifying plugin settings, accessing sensitive data, or performing administrative operations. The CVSS v3 base score is 5.4 (Medium), reflecting the potential for significant site compromise [1].

Mitigation

The vendor has addressed this vulnerability in a subsequent release; users are strongly advised to update to the latest version of ListingPro. If immediate updating is not possible, temporary workarounds such as disabling the plugin or applying a web application firewall rule can help reduce risk [1].