CVE-2025-60122

Vulnerability

Overview

The HivePress Claim Listings plugin for WordPress versions up to and including 1.1.4 suffers from a missing authorization vulnerability. The plugin fails to properly enforce access control checks, allowing users with lower privileges to perform actions that should require higher-level permissions. This is a classic broken access control issue where the software does not verify that the requesting user has the necessary capabilities before executing sensitive functions [1].

Exploitation

An attacker can exploit this vulnerability without needing any special authentication beyond a standard user account. The missing authorization check means that any authenticated user can potentially access and manipulate claim listings functionality that should be restricted to administrators or require administrative privileges. The attack surface is broad because the plugin is widely used on WordPress sites, and the vulnerability is present in all versions from n/a through 1.1.4 [1].

Impact

Successful exploitation allows an attacker to bypass intended access control security levels. This could lead to unauthorized modification or deletion of claim listings, or other actions that compromise the integrity of the plugin's data. The vulnerability is rated as Medium severity with a CVSS v3 score of 4.3, reflecting the need for authentication but the potential for significant impact on the affected site's functionality [1].

Mitigation

The vendor has not released a patched version beyond 1.1.4, so users should update to the latest available version. If an update is not possible, immediate action is recommended by disabling the plugin or implementing additional access control measures via a web application firewall or custom code. The vulnerability is known to be used in mass-exploit campaigns, making timely mitigation critical [1].