{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-2253", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-03-12T14:44:35.469Z", "datePublished": "2025-05-09T06:42:35.358Z", "dateUpdated": "2026-04-08T16:51:52.808Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:51:52.808Z"}, "affected": [{"vendor": "imithemes", "product": "IMITHEMES Listing", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The IMITHEMES Listing plugin is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3. This is due to the plugin not properly validating a verification code value prior to updating their password through the imic_reset_password_init() function. This makes it possible for unauthenticated attackers to change any user's passwords, including administrators if the users email is known."}], "title": "IMITHEMES Listing <= 3.3 - Unauthenticated Privilege Escalation via Unverified Password Reset", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4ed0ea4a-9cbf-4033-a31f-6cb954e8ce01?source=cve"}, {"url": "https://themeforest.net/item/auto-stars-car-dealership-listings-wp-theme/11560490"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-620 Unverified Password Change", "cweId": "CWE-620", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "Alyudin Nafiie"}], "timeline": [{"time": "2025-05-08T17:58:04.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-09T15:41:05.476145Z", "id": "CVE-2025-2253", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-09T15:41:25.960Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-2253", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-05-09T15:41:05.476145Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-09T15:41:19.464Z"}}], "cna": {"title": "IMITHEMES Listing <= 3.3 - Unauthenticated Privilege Escalation via Unverified Password Reset", "credits": [{"lang": "en", "type": "finder", "value": "Alyudin Nafiie"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "imithemes", "product": "IMITHEMES Listing", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "3.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-05-08T17:58:04.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4ed0ea4a-9cbf-4033-a31f-6cb954e8ce01?source=cve"}, {"url": "https://themeforest.net/item/auto-stars-car-dealership-listings-wp-theme/11560490"}], "descriptions": [{"lang": "en", "value": "The IMITHEMES Listing plugin is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3. This is due to the plugin not properly validating a verification code value prior to updating their password through the imic_reset_password_init() function. This makes it possible for unauthenticated attackers to change any user's passwords, including administrators if the users email is known."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-620", "description": "CWE-620 Unverified Password Change"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-05-09T06:42:35.358Z"}}}, "cveMetadata": {"cveId": "CVE-2025-2253", "state": "PUBLISHED", "dateUpdated": "2025-05-09T15:41:25.960Z", "dateReserved": "2025-03-12T14:44:35.469Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-05-09T06:42:35.358Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The IMITHEMES Listing plugin is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3. This is due to the plugin not properly validating a verification code value prior to updating their password through the imic_reset_password_init() function. This makes it possible for unauthenticated attackers to change any user's passwords, including administrators if the users email is known."}, {"lang": "es", "value": "El complemento IMITHEMES Listing es vulnerable a la escalada de privilegios mediante la apropiaci\u00f3n de cuentas en todas las versiones hasta la 3.3 incluida. Esto se debe a que el complemento no valida correctamente el valor del c\u00f3digo de verificaci\u00f3n antes de actualizar la contrase\u00f1a mediante la funci\u00f3n imic_reset_password_init(). Esto permite que atacantes no autenticados cambien la contrase\u00f1a de cualquier usuario, incluyendo la de administradores, si se conoce su correo electr\u00f3nico."}], "id": "CVE-2025-2253", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-05-09T07:16:04.010", "references": [{"source": "security@wordfence.com", "url": "https://themeforest.net/item/auto-stars-car-dealership-listings-wp-theme/11560490"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4ed0ea4a-9cbf-4033-a31f-6cb954e8ce01?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-620"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T20:53:24.721048+00:00", "value": {"mitigation_remediation": ["Upgrade IMITHEMES Listing to a release newer than 3.3 that contains the fix.", "If an upgrade is not immediately possible, restrict access to the password reset endpoint by using firewall rules or web\u2011application settings to allow only trusted IP addresses or require authentication before password reset.", "Change all user passwords, especially administrator accounts, to strong, unique values after deployment of the fix or restriction measures.", "Monitor web application logs for unexpected password reset attempts and enforce rate limiting to mitigate brute\u2011force efforts."], "summary": {"action": "Patch", "impact": "Privilege Escalation via Password Reset Abuse"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all releases of the IMITHEMES Listing plugin up to and including version 3.3. Only users installing these versions are at risk; newer releases are presumed to have addressed the flaw.", "description_and_impact": "The IMITHEMES Listing plugin fails to validate a verification code when resetting passwords, allowing an unauthenticated attacker to change any user\u2019s password if the user\u2019s email address is known. The consequence is full control over that user\u2019s account, including administrator accounts, thereby compromising confidentiality, integrity, and availability of the WordPress site. This weakness is categorized as CWE-620.", "risk_and_exploitability": "The flaw carries a CVSS score of 9.8, indicating a high severity impact. The EPSS score is less than 1%, suggesting exploitation is not widespread but still possible. The vulnerability is not listed in CISA\u2019s KEV catalog. An attacker can simply send a password reset request to the plugin\u2019s endpoint with a known user email, bypass authentication, and set a new password, then use the account to further compromise the site. No special privileges or network access are required beyond the ability to send HTTP requests to the server."}}}}, "created": "2026-04-21T21:00:36.007246+00:00", "updated": "2026-04-21T21:00:36.007261+00:00", "vendors": []}