CVE-2025-68059
BaseFortify
Publication date: 2026-01-22
Last updated on: 2026-04-27
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| patchstack | hotel_listing | to 1.4.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-68059 is a Broken Access Control vulnerability in the WordPress Hotel Listing Plugin (versions up to 1.4.2). It occurs due to missing authorization, authentication, or nonce token checks in certain plugin functions, which allows users with low privileges (such as subscribers or developers) to perform actions that should be restricted to higher-privileged roles. [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized actions being performed on your WordPress site by users who should not have such permissions. Because it allows lower-privileged users to execute higher-privileged functions, it poses a significant security risk, potentially compromising site integrity, data, and functionality. The CVSS score of 7.6 indicates a high likelihood of exploitation and serious impact. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves monitoring for unauthorized access attempts or actions performed by low-privileged users (such as subscribers or developers) that should require higher privileges. Since the vulnerability is due to missing authorization checks in the Hotel Listing plugin (up to version 1.4.2), you can audit plugin activity logs for suspicious behavior. Specific commands are not provided in the resources, but general WordPress security monitoring tools or plugins that log user actions and privilege escalations can help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the Patchstack mitigation rule provided to block attacks targeting this vulnerability until an official patch is released. Users are strongly advised to implement this mitigation immediately to protect their websites. Additionally, restricting user privileges to the minimum necessary and monitoring for suspicious activity can help reduce risk. [1]