CVE-2025-66087

Vulnerability

Overview

CVE-2025-66087 is a missing authorization vulnerability in the PropertyHive plugin for WordPress, affecting versions from n/a through 2.1.12. The issue stems from incorrectly configured access control security levels, which allows unauthenticated attackers to exploit the plugin's functions without proper permission checks [1].

Exploitation

An attacker can exploit this vulnerability by sending crafted requests to a WordPress site running a vulnerable version of PropertyHive. No authentication is required, and the attack can be performed remotely over the network. The vulnerability is classified as a low complexity and does not require user interaction, making it potentially exploitable in mass campaigns targeting thousands of websites [1].

Impact

Successful exploitation could allow an attacker to perform actions that should be restricted to higher-privileged users, such as modifying property listings or accessing sensitive data. The CVSS v3 base score is 4.3 (Medium), indicating a moderate severity with limited direct impact on confidentiality, integrity, or availability [1].

Mitigation

The vendor has released version 2.1.13 which addresses the vulnerability. Users are strongly advised to update immediately. For those unable to update, consulting a hosting provider or web developer is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].