CVE-2025-63047

Vulnerability

Overview [1] The ListingPro theme for WordPress, developed by CridioStudio suffers from a missing authorization vulnerability affecting versions up to and including 2.9.9. This issue stems from incorrectly configured levels of access control security, which can be exploited by attackers to bypass intended restrictions. The vulnerability is classified as a broken access control problem, meaning that functions within the theme lack proper authorization checks, such as nonce tokens or capability verification. [1]

Exploitation and

Attack Surface [1] This vulnerability is particularly dangerous because it can be exploited without authentication, allowing unprivileged users to execute actions that should require higher privileges. Attackers can leverage this flaw in mass-exploit campaigns, targeting thousands of websites regardless of their traffic or popularity. The attack surface is broad, as any site running the vulnerable versionPro theme is potentially at risk. [1]

Impact and

Mitigation Successful exploitation could allow an attacker to perform unauthorized actions, potentially leading to data exposure, site defacement, or other malicious outcomes. The vendor has not released a patch, and users are strongly advised to update the theme immediately if a patched version becomes available. As a temporary measure, users should contact their hosting provider or a web developer for assistance in mitigating the risk. The vulnerability has a CVSS v3 score of 5.3 (Medium), indicating a moderate severity level. [1]