{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68059", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:01:19.543Z", "datePublished": "2026-01-22T16:52:06.756Z", "dateUpdated": "2026-04-28T16:14:27.936Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "hotel-listing", "product": "Hotel Listing", "vendor": "e-plugins", "versions": [{"lessThanOrEqual": "1.4.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:22:01.200Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in e-plugins Hotel Listing hotel-listing allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Hotel Listing: from n/a through <= 1.4.2.</p>"}], "value": "Missing Authorization vulnerability in e-plugins Hotel Listing hotel-listing allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hotel Listing: from n/a through <= 1.4.2."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:27.936Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/hotel-listing/vulnerability/wordpress-hotel-listing-plugin-1-4-2-broken-access-control-vulnerability-2?_s_id=cve"}], "title": "WordPress Hotel Listing plugin <= 1.4.2 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-28T16:54:14.627452Z", "id": "CVE-2025-68059", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T18:30:13.749Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-68059", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-28T16:54:14.627452Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T16:54:05.761Z"}}], "cna": {"title": "WordPress Hotel Listing plugin <= 1.4.2 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "e-plugins", "product": "Hotel Listing", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.4.2"}], "packageName": "hotel-listing", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:22:01.200Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/hotel-listing/vulnerability/wordpress-hotel-listing-plugin-1-4-2-broken-access-control-vulnerability-2?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in e-plugins Hotel Listing hotel-listing allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hotel Listing: from n/a through <= 1.4.2.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in e-plugins Hotel Listing hotel-listing allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Hotel Listing: from n/a through <= 1.4.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:13:56.163Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68059", "state": "PUBLISHED", "dateUpdated": "2026-04-27T18:30:13.749Z", "dateReserved": "2025-12-15T10:01:19.543Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-22T16:52:06.756Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in e-plugins Hotel Listing hotel-listing allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hotel Listing: from n/a through <= 1.4.2."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en e-plugins Hotel Listing hotel-listing permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Hotel Listing: desde n/a hasta &lt;= 1.4.2."}], "id": "CVE-2025-68059", "lastModified": "2026-04-27T19:16:24.167", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-22T17:16:09.873", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/hotel-listing/vulnerability/wordpress-hotel-listing-plugin-1-4-2-broken-access-control-vulnerability-2?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T09:51:16.837206+00:00", "value": {"mitigation_remediation": ["Update the Hotel Listing plugin to the latest available version to obtain the vendor\u2011supplied fix.", "If a patch is unavailable, restrict access to the plugin\u2019s administrative pages using role\u2011based permissions or IP filtering so that only trusted administrators can reach them.", "Review any custom code that calls the plugin\u2019s functionality and add explicit authorization checks in accordance with best practices for CWE\u2011862."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Access via broken authorization checks"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WordPress Hotel Listing plugin from e\u2011plugins, impacting all released versions up to and including 1.4.2. No newer fixed versions are specified in the data provided.", "description_and_impact": "The Hotel Listing plugin suffers from a missing authorization flaw that allows attackers to interact with functionalities or data that should be restricted. This broken access control can lead to unauthorized viewing or modification of listings and other protected information, and it is classified as CWE\u2011862.", "risk_and_exploitability": "The CVSS score of 7.6 indicates significant impact, while the EPSS score of below 1% suggests low probability of exploit; the vulnerability is not listed in CISA\u2019s KEV catalog. Based on the description, the likely attack vector is exposure of administrative endpoints within the plugin, which an attacker could reach from a web-based interface to bypass intended access restrictions. Precise exploitation conditions are not detailed, but any user with sufficient privileges to reach the plugin\u2019s pages could potentially abuse the missing checks."}}}}, "created": "2026-01-23T16:29:18.115883+00:00", "updated": "2026-04-28T10:00:06.493515+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}