CVE-2025-68072
BaseFortify
Publication date: 2026-01-22
Last updated on: 2026-04-01
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| merv_barrett | easy_property_listings | to 3.5.17 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-68072 is a Broken Access Control vulnerability in the WordPress Easy Property Listings Plugin (versions up to 3.5.17). It occurs due to missing authorization, authentication, or nonce token checks in certain plugin functions, which allows unauthenticated users to perform actions that should require higher privileges. [1]
How can this vulnerability impact me? :
This vulnerability can allow unauthorized users to perform privileged actions on your WordPress site using the Easy Property Listings Plugin, potentially leading to unauthorized data access or modification. It poses a moderate risk with a CVSS score of 6.5. Without mitigation, your site could be exploited, compromising its security and integrity. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves monitoring for unauthorized access attempts to Easy Property Listings plugin functions that require higher privileges but are accessible without proper authorization. Since the vulnerability allows unauthenticated users to perform privileged actions, you can check your web server logs for suspicious requests targeting Easy Property Listings endpoints or parameters. Specific commands depend on your environment, but for example, you can use grep to search your access logs for suspicious requests: grep -i 'easy-property-listings' /var/log/apache2/access.log or grep -i 'easy-property-listings' /var/log/nginx/access.log. Additionally, monitoring for unusual POST requests or parameters related to the plugin may help detect exploitation attempts. Employing a Web Application Firewall (WAF) with rules blocking known exploit patterns, such as the Patchstack mitigation rule, can also aid detection and prevention. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the Patchstack mitigation rule that blocks attacks exploiting this vulnerability, as no official patch is available yet. This rule provides immediate protection by preventing unauthorized access attempts targeting the Easy Property Listings plugin. Additionally, users should implement continuous security monitoring and consider restricting access to the plugin's administrative functions via IP whitelisting or other access control measures until an official fix is released. [1]