CVE-2025-68072 identifies a missing authorization vulnerability in the Easy Property Listings WordPress plugin developed by Merv Barrett, affecting all versions up to and including 3.5.17. The core issue stems from incorrectly configured access control security levels, which fail to properly restrict unauthorized users from accessing or manipulating certain functionalities or data within the plugin. This vulnerability can be exploited remotely over the network without requiring any prior authentication or user interaction, increasing its potential attack surface. The impact primarily concerns confidentiality and integrity, as unauthorized actors may gain access to sensitive property listing data or modify listings without permission. However, availability is not affected. The vulnerability has a CVSS 3.1 base score of 6.5, indicating a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). Currently, there are no known exploits in the wild, and no official patches have been linked yet. The vulnerability was reserved in December 2025 and published in January 2026. Given the plugin’s widespread use in real estate websites, especially those built on WordPress, this vulnerability poses a tangible risk to organizations relying on it for property listings management.

For European organizations, the missing authorization vulnerability could lead to unauthorized access to property listing data, potentially exposing sensitive client information or internal business data. Attackers might manipulate listings, causing reputational damage or financial loss due to misinformation or fraud. Although the vulnerability does not impact availability, the breach of confidentiality and integrity could undermine trust in affected platforms. Real estate agencies, property management firms, and online listing services using Easy Property Listings are at risk. The medium severity rating suggests that while the threat is not critical, it is significant enough to warrant prompt attention to avoid exploitation. The lack of required authentication and user interaction means attackers can exploit this vulnerability remotely and at scale, increasing the risk of widespread data exposure or unauthorized modifications across multiple European organizations.

Organizations should immediately audit their use of the Easy Property Listings plugin and verify if they are running affected versions (up to 3.5.17). Until an official patch is released, administrators should restrict access to the plugin’s administrative and listing management interfaces using web application firewalls (WAFs) or IP whitelisting to limit exposure. Implementing strict role-based access controls within WordPress can help minimize unauthorized access. Monitoring logs for unusual access patterns or unauthorized changes to listings is critical for early detection. Once a vendor patch or update is available, apply it promptly. Additionally, consider isolating the property listings functionality on segmented network zones to reduce lateral movement risks. Regular backups of listing data should be maintained to enable recovery in case of data tampering.