CVE-2025-63049

Vulnerability

Overview

The ListingPro Lead Form plugin for WordPress (listingpro-lead-form) plugin for WordPress, versions up to and up to 1.0.7, contains a Missing Authorization vulnerability. This flaw allows an attacker to access functionality that should be protected by Access Control Lists (ACLs) [1]. The root cause].

Exploitation

The vulnerability is classified as a broken access control issue, meaning the plugin fails to properly verify authorization, authentication, or nonce tokens before executing certain functions. This allows an unprivileged user—potentially an unauthenticated visitor—to trigger actions that should require higher privileges [1].

Impact

An attacker exploiting this vulnerability can access functionality not properly constrained by ACLs, leading to unauthorized actions within the WordPress site. This could include viewing, modifying, or deleting data that should be restricted, depending on the specific unprotected functions [1].

Mitigation

The vendor has not released a patched version beyond version beyond 1.0.7. Users are strongly advised to update the plugin immediately if a fix becomes available, or to contact their hosting provider or web developer for assistance. This vulnerability is known to be used in mass-exploit campaigns targeting thousands of sites [1].