CVE-2025-64378 is a missing authorization vulnerability affecting CridioStudio's ListingPro plugin for WordPress, specifically versions before 2.9.10. The vulnerability arises from incorrectly configured access control security levels, which fail to properly restrict access to certain functionality or resources within the plugin. This flaw allows unauthenticated remote attackers to perform unauthorized actions that modify data integrity without requiring any privileges or user interaction. The CVSS v3.1 score of 7.5 reflects a high severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The scope is unchanged (S:U), and the impact affects integrity (I:H) but not confidentiality (C:N) or availability (A:N). Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk because it can be exploited remotely and silently to alter listing data or configurations, potentially undermining trustworthiness and operational correctness of affected websites. ListingPro is a popular directory and listing management plugin for WordPress, widely used by businesses and organizations to manage online listings, events, or services. The missing authorization issue likely stems from improper validation of user permissions before allowing sensitive operations, which could be leveraged to manipulate listings or administrative settings.

For European organizations, the primary impact of this vulnerability is the compromise of data integrity within websites using the ListingPro plugin. Unauthorized modification of listings or related data can lead to misinformation, reputational damage, and potential business disruption. Organizations relying on ListingPro for customer-facing directories, event listings, or service catalogs may experience loss of user trust or operational issues if attackers exploit this flaw. Although confidentiality and availability are not directly affected, the integrity breach could facilitate further attacks such as phishing or fraud by altering displayed information. This risk is particularly relevant for sectors like tourism, local business directories, and event management, which are common use cases for ListingPro in Europe. Additionally, regulatory compliance concerns may arise if altered data leads to misinformation impacting consumers or partners. The lack of known exploits in the wild suggests a window of opportunity for defenders to patch before active exploitation occurs.

To mitigate CVE-2025-64378, organizations should promptly update ListingPro to version 2.9.10 or later once the patch is released by CridioStudio. Until an official patch is available, administrators should implement strict access control measures at the web server or application firewall level to restrict access to sensitive plugin endpoints. Reviewing and hardening WordPress user roles and permissions can reduce the attack surface by limiting anonymous or low-privilege access. Monitoring web server logs and application activity for unusual requests targeting ListingPro endpoints can help detect attempted exploitation. Employing a web application firewall (WAF) with custom rules to block unauthorized access patterns related to ListingPro functions is recommended. Regular backups of website data enable recovery in case of unauthorized modifications. Finally, organizations should engage with their CMS and plugin vendors to stay informed about updates and advisories related to ListingPro.