CVE-2025-63049 identifies a missing authorization vulnerability in the ListingPro Lead Form plugin developed by CridioStudio, affecting versions up to and including 1.0.2. The vulnerability arises because the plugin's lead form functionality does not enforce proper Access Control Lists (ACLs), allowing unauthenticated remote attackers to invoke certain functions that should be restricted. This flaw is exploitable over the network without requiring authentication or user interaction, which increases its risk profile. However, the impact is limited to confidentiality as the attacker can access some data or functionality not intended for public access, but cannot modify data or disrupt service availability. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) confirms the ease of exploitation and limited impact scope. No known exploits have been reported in the wild, and no official patches or mitigation advisories have been released by CridioStudio at the time of publication. The vulnerability was reserved in late October 2025 and published in early December 2025. Organizations using this plugin should be aware of the risk of unauthorized data exposure and prepare to apply patches or mitigations once available.

For European organizations, the primary impact is unauthorized access to potentially sensitive lead form data or functionality within websites using the ListingPro Lead Form plugin. Although the vulnerability does not allow data modification or service disruption, unauthorized data access could lead to information leakage, privacy concerns, or reconnaissance opportunities for further attacks. Organizations handling personal data through these forms may face compliance risks under GDPR if unauthorized access leads to data breaches. The risk is heightened for public-facing websites with high traffic or those in sectors like real estate, hospitality, or local services where ListingPro is commonly used. The absence of known exploits reduces immediate risk, but the ease of exploitation and network accessibility mean attackers could develop exploits quickly once the vulnerability is widely known. This could lead to targeted attacks on European SMEs and enterprises relying on WordPress plugins for lead generation and customer engagement.

1. Immediately audit all WordPress sites for the presence of the ListingPro Lead Form plugin and identify affected versions (<= 1.0.2). 2. Restrict access to the lead form endpoints via web application firewalls (WAFs) or IP whitelisting where feasible to limit exposure. 3. Implement additional access control mechanisms at the server or application level to enforce authorization on lead form functionalities. 4. Monitor web server and application logs for unusual or unauthorized access patterns targeting the lead form endpoints. 5. Engage with CridioStudio or trusted security sources to obtain patches or updates as soon as they are released and apply them promptly. 6. Consider temporarily disabling or replacing the plugin with alternative solutions if immediate patching is not possible. 7. Educate site administrators on the risks and ensure regular plugin updates and security hygiene are maintained. 8. Review GDPR compliance and incident response plans in case unauthorized data access occurs.