CVE-2025-60123

Vulnerability

Overview The HivePress Claim Listings plugin for WordPress versions up to and including 1.1.3 suffers from a missing authorization vulnerability. This flaw stems from improperly configured access control security levels, allowing unauthenticated users to perform actions that should require higher privileges [1].

Exploitation

Conditions Attackers can exploit this vulnerability without authentication or prior knowledge, simply by sending crafted requests to the affected plugin endpoints. The issue is classified as a broken access control, meaning no nonce or capability checks are in place to verify the user's authorization for certain functions [1].

Impact

Successful exploitation can lead to unauthorized actions such as claiming listings or modifying plugin settings, potentially compromising the integrity of the website's listing management. While the CVSS score is 4.3 (medium), the vulnerability is considered low severity and unlikely to be exploited in mass campaigns, though it remains a risk for site owners [1].

Mitigation

The vulnerability is patched in version 1.1.4. Users are strongly advised to update immediately. If updating is not possible, administrators should implement additional access controls or consult their hosting provider for alternative mitigations. Patchstack users can enable auto-updates for vulnerable plugins [1].