CVE-2025-2253

Critical CVSS: 9.8

The IMITHEMES Listing plugin is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3. This is due to the plugin not properly validating a verification code value prior to updating their password through the imic_reset_password_init() function. This makes it possible for unauthenticated attackers to change any user's passwords, including administrators if the users email is known.

Vendor

Product

CWE

CWE-620

Yayın Tarihi

2025-05-09 07:16:04

Güncelleme

2025-05-12 17:32:52

Source Identifier

security@wordfence.com

KEV Date Added

Kategoriler

CWE-620 CRITICAL 2025

Referanslar

https://themeforest.net/item/auto-stars-car-dealership-listings-wp-theme/11560490 https://www.wordfence.com/threat-intel/vulnerabilities/id/4ed0ea4a-9cbf-4033-a31f-6cb954e8ce01?source=cve