CVE-2025-60123 is a security vulnerability classified under CWE-862 (Missing Authorization) affecting the HivePress Claim Listings plugin, versions up to 1.1.3. This vulnerability arises due to improperly configured access control mechanisms within the plugin, allowing users with limited privileges to perform actions or access resources that should be restricted. Specifically, the flaw enables exploitation of incorrectly configured access control security levels, which means that certain operations that require higher authorization levels can be executed by users with lower privileges. The vulnerability has a CVSS 3.1 base score of 4.3, indicating a medium severity level. The vector details (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) reveal that the vulnerability is remotely exploitable over the network, requires low attack complexity, and needs privileges (PR:L) but no user interaction (UI:N). The impact primarily affects integrity (I:L) without compromising confidentiality or availability. No known exploits are currently reported in the wild, and no patches have been linked yet. HivePress Claim Listings is a WordPress plugin used to manage listing claims on websites, often for directories or marketplaces, which means the vulnerability could allow unauthorized modification or manipulation of listing claims, potentially leading to fraudulent listings or unauthorized content changes.

For European organizations, especially those operating online marketplaces, directories, or classified listing platforms using HivePress Claim Listings, this vulnerability poses a risk to data integrity. Attackers with low-level privileges could manipulate listing claims, potentially leading to misinformation, fraudulent listings, or unauthorized content changes that could damage brand reputation and user trust. While confidentiality and availability are not directly impacted, the integrity compromise could have downstream effects such as regulatory non-compliance (e.g., GDPR if personal data is involved in listings), customer dissatisfaction, and financial losses due to fraudulent activities. Organizations relying on this plugin should be aware that even low-privilege users might exploit this flaw, increasing the attack surface. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as threat actors often reverse-engineer disclosed vulnerabilities to develop exploits.

Organizations should immediately audit their use of the HivePress Claim Listings plugin and restrict user privileges to the minimum necessary, especially for roles that can interact with listing claims. Implement strict role-based access controls (RBAC) and monitor for unusual activities related to listing claims. Since no official patches are currently available, consider temporarily disabling the Claim Listings functionality or the plugin entirely if feasible until a patch is released. Additionally, apply Web Application Firewall (WAF) rules to detect and block suspicious requests targeting listing claim endpoints. Regularly review plugin updates from HivePress and apply security patches promptly once available. Conduct security testing focusing on access control enforcement in the plugin to identify any other potential weaknesses. Finally, maintain comprehensive logging and alerting to detect unauthorized modifications early.