{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68072", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:01:24.072Z", "datePublished": "2026-01-22T16:52:06.979Z", "dateUpdated": "2026-04-28T19:58:03.481Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "easy-property-listings", "product": "Easy Property Listings", "vendor": "Merv Barrett", "versions": [{"changes": [{"at": "3.5.21", "status": "unaffected"}], "lessThanOrEqual": "3.5.20", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:02:23.996Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Merv Barrett Easy Property Listings easy-property-listings allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Easy Property Listings: from n/a through <= 3.5.20.</p>"}], "value": "Missing Authorization vulnerability in Merv Barrett Easy Property Listings easy-property-listings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Property Listings: from n/a through <= 3.5.20."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:28.293Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/easy-property-listings/vulnerability/wordpress-easy-property-listings-plugin-3-5-16-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Easy Property Listings plugin <= 3.5.20 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-28T15:38:26.934384Z", "id": "CVE-2025-68072", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T19:58:03.481Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-68072", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-28T15:38:26.934384Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T15:38:55.019Z"}}], "cna": {"title": "WordPress Easy Property Listings plugin <= 3.5.20 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "Merv Barrett", "product": "Easy Property Listings", "versions": [{"status": "affected", "changes": [{"at": "3.5.21", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "3.5.20"}], "packageName": "easy-property-listings", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:02:23.996Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/easy-property-listings/vulnerability/wordpress-easy-property-listings-plugin-3-5-16-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Merv Barrett Easy Property Listings easy-property-listings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Property Listings: from n/a through <= 3.5.20.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Merv Barrett Easy Property Listings easy-property-listings allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Easy Property Listings: from n/a through <= 3.5.20.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T14:11:57.444Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68072", "state": "PUBLISHED", "dateUpdated": "2026-04-02T15:22:36.521Z", "dateReserved": "2025-12-15T10:01:24.072Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-22T16:52:06.979Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Merv Barrett Easy Property Listings easy-property-listings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Property Listings: from n/a through <= 3.5.20."}, {"lang": "es", "value": "Vulnerabilidad de Autorizaci\u00f3n Faltante en Merv Barrett Easy Property Listings easy-property-listings permite la Explotaci\u00f3n de Niveles de Seguridad de Control de Acceso Incorrectamente Configurados. Este problema afecta a Easy Property Listings: desde n/a hasta &lt;= 3.5.17."}], "id": "CVE-2025-68072", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-22T17:16:09.993", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/easy-property-listings/vulnerability/wordpress-easy-property-listings-plugin-3-5-16-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T09:50:47.494549+00:00", "value": {"mitigation_remediation": ["Upgrade Easy Property Listings to version 3.5.21 or later.", "Restrict property\u2011management capabilities so that only administrators can create, edit, or delete listings, removing or revoking these permissions from non\u2011admin roles.", "If an immediate upgrade is not possible, temporarily deactivate the Easy Property Listings plugin until a patched version is available to prevent unauthorized access."], "summary": {"action": "Patch", "impact": "Unauthorized data access or modification"}, "threat_synthesis": {"affected_systems": "Merv Barrett Easy Property Listings plugin for WordPress, versions up to and including 3.5.20. Any WordPress installation running one of those plugin versions is susceptible unless the plugin is upgraded or its access level settings are corrected.", "description_and_impact": "The vulnerability is a missing authorization flaw in the Easy Property Listings plugin, allowing attackers to exploit incorrectly configured access control levels. This broken access control can enable an unauthenticated or low\u2011privilege user to view, modify, or delete property listings, jeopardizing site data confidentiality, integrity, and availability. The flaw is categorized as CWE-862.", "risk_and_exploitability": "The reported CVSS score of 6.5 indicates moderate impact, and the EPSS score of less than 1% suggests a very low current exploitation probability. The flaw is not listed in the CISA KEV inventory. Attackers can reach the vulnerability through the public web interface, typically by logging into any standard user account; because the plugin fails to enforce proper authorization, that user can perform privileged actions such as editing or deleting listings."}}}}, "created": "2026-01-23T16:29:54.776356+00:00", "updated": "2026-04-28T10:00:06.493132+00:00", "vendors": ["merv_barrett", "merv_barrett$PRODUCT$easy_property_listings", "wordpress", "wordpress$PRODUCT$wordpress"]}