CVE-2025-64378 identifies a Missing Authorization vulnerability in CridioStudio's ListingPro plugin, a popular WordPress directory and listing management tool. The vulnerability arises from incorrectly configured access control security levels, which fail to properly restrict user permissions. This misconfiguration allows attackers to bypass authorization checks and perform actions that should be restricted, such as viewing, modifying, or deleting listings without proper privileges. The affected versions include all ListingPro releases prior to 2.9.10, with no specific version range detailed beyond that. The vulnerability was reserved on October 31, 2025, and published on December 18, 2025. No CVSS score has been assigned, and no public exploits are known at this time. The flaw could be exploited remotely if the attacker can reach the vulnerable ListingPro instance, typically hosted on WordPress sites. Since ListingPro is used to manage business listings, unauthorized access could lead to data leakage, unauthorized content changes, or disruption of directory services. The lack of proper authorization checks represents a critical security lapse that undermines the integrity and confidentiality of the application’s data. The vulnerability does not require user interaction but does require the attacker to have network access to the affected system. Given the plugin’s role in managing business-critical information, exploitation could have significant operational and reputational impacts.

For European organizations, the impact of CVE-2025-64378 could be substantial, especially for those relying on ListingPro for business directories, local listings, or service marketplaces. Unauthorized access could lead to exposure of sensitive business information, unauthorized modification or deletion of listings, and potential disruption of services offered through these platforms. This could damage customer trust, lead to regulatory compliance issues under GDPR due to unauthorized data exposure, and cause financial losses from operational downtime or reputational harm. Organizations in sectors such as retail, hospitality, and local services that use ListingPro to manage customer-facing directories are particularly at risk. The vulnerability’s exploitation could also facilitate further attacks by providing attackers with footholds or sensitive data. Since ListingPro is a WordPress plugin, the widespread use of WordPress in Europe increases the potential attack surface. The absence of known exploits currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits following public disclosure.

1. Immediately update ListingPro to version 2.9.10 or later once the patch is available from CridioStudio to ensure the authorization flaw is fixed. 2. Until patching is possible, restrict access to the ListingPro administration and management interfaces using network-level controls such as IP whitelisting or VPN access to limit exposure. 3. Review and harden WordPress user roles and permissions to ensure that only trusted users have administrative or listing management privileges. 4. Implement web application firewalls (WAF) with rules designed to detect and block unauthorized access attempts targeting ListingPro endpoints. 5. Conduct regular audits of listing data and logs to detect unauthorized changes or access patterns indicative of exploitation attempts. 6. Educate site administrators on the importance of timely plugin updates and secure configuration practices. 7. Monitor threat intelligence feeds and vendor advisories for any emerging exploit information related to this vulnerability. 8. Consider isolating ListingPro installations on segmented network zones to reduce lateral movement risk if compromised.