CVE-2025-66087 identifies a Missing Authorization vulnerability in the Property Hive WordPress plugin, specifically affecting versions up to and including 2.1.12. Property Hive is a popular real estate plugin used to manage property listings and related data on WordPress sites. The vulnerability arises from incorrectly configured access control security levels, which means that certain functions or data that should be restricted to authorized users are accessible without proper authorization checks. This can allow an attacker to perform unauthorized actions, such as viewing, modifying, or deleting property data or accessing administrative features. The vulnerability does not require known user authentication or interaction, increasing its risk profile. Although no public exploits have been reported, the flaw's presence in a widely used plugin makes it a potential target for attackers. The lack of a CVSS score indicates that the vulnerability is newly published and not yet fully assessed, but the nature of missing authorization typically leads to significant confidentiality and integrity impacts. The vulnerability affects all installations running vulnerable versions of Property Hive, which is commonly used in real estate websites globally, including Europe. The absence of patch links suggests that a fix may not yet be publicly available, emphasizing the need for immediate attention from administrators. The vulnerability was reserved and published in November 2025 by Patchstack, a known security researcher group focusing on WordPress plugins.

For European organizations, especially those operating real estate platforms or websites using the Property Hive plugin, this vulnerability poses a significant risk. Unauthorized access to property data can lead to exposure of sensitive client information, property details, and potentially financial data. This could result in reputational damage, regulatory non-compliance (e.g., GDPR violations due to data exposure), and financial losses. Attackers exploiting this flaw could manipulate listings, causing misinformation or fraud. The impact extends to website integrity and availability if attackers modify or delete critical data. Given the real estate sector's importance in Europe and the widespread use of WordPress-based solutions, the vulnerability could affect a broad range of small to medium enterprises and large agencies. The lack of authentication requirements for exploitation increases the threat level, as attackers can remotely exploit the vulnerability without prior access. This could also facilitate further attacks such as phishing or social engineering by leveraging exposed data.

Administrators should immediately audit their Property Hive plugin versions and upgrade to the latest version once a patch is released. Until a patch is available, restrict access to the WordPress admin dashboard and any endpoints related to Property Hive using network-level controls such as IP whitelisting or VPN access. Implement strict role-based access controls within WordPress to limit permissions to trusted users only. Monitor logs for unusual access patterns or unauthorized attempts to access Property Hive functionalities. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting Property Hive endpoints. Regularly back up website data to enable recovery in case of data tampering. Engage with the Property Hive vendor or community to stay informed about patch releases and security advisories. Conduct penetration testing focused on access control mechanisms to identify any other potential weaknesses. Finally, educate staff about the risks of unauthorized access and ensure strong authentication methods are in place for administrative accounts.