CVE-2025-67560

Vulnerability

Details

CVE-2025-67560 is a missing authorization vulnerability (also described as a broken access control issue) in the WordPress Listdom plugin by Webilia Inc. [1]. The plugin versions up to and including 5.0.1 fail to properly check user permissions for certain functions, meaning that an unauthenticated or low-privileged user can execute actions that should be restricted to higher-privileged roles. The root cause is the absence of a necessary authorization, authentication, or nonce token check within some plugin functionality [1].

Exploitation

Prerequisites

Attackers can exploit this vulnerability without needing any special privileges, as the missing access control check allows unprivileged users to perform higher-privileged actions [1]. The attack surface is broad because the plugin is widely deployed on WordPress sites. This type of vulnerability is often targeted in mass-exploit campaigns, where attackers scan for vulnerable sites and attempt to execute arbitrary actions such as modifying settings, creating user accounts, or injecting malicious content [1].

Impact

A successful exploitation could lead to unauthorized modification of site configurations, privilege escalation, or other actions that compromise the integrity or confidentiality of the WordPress installation. The CVSS v3 base score is 5.4 (Medium), reflecting a moderate severity due to the potential for unauthorized access to sensitive functions [1].

Mitigation

The vendor has released version 5.1.0 of the Listdom plugin, which fixes the vulnerability. Users are strongly advised to update to 5.1.0 or later immediately [1]. For those using Patchstack, enabling auto-updates for vulnerable plugins can help ensure timely patching. If updating is not possible immediately, website owners should contact their hosting provider or web developer for assistance [1].