Description
Missing Authorization vulnerability in Merv Barrett Easy Property Listings easy-property-listings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Property Listings: from n/a through <= 3.5.22.
Published: 2025-12-16
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Missing authorization controls in the Easy Property Listings plugin allow an attacker to bypass intended access restrictions. Because the plugin does not enforce proper authorization on certain endpoints, a user could potentially view or edit property listings, manage plugin settings, or access sensitive data without valid credentials. This weakness is classified as CWE-862, which indicates that the software fails to check whether a user is authorized to perform an action.

Affected Systems

Affected installations are WordPress sites running the Easy Property Listings plugin version 3.5.22 or earlier. The vendor responsible is Merv Barrett. No explicit version range is listed beyond “up to 3.5.22”, so any site deploying a compatible version is at risk.

Risk and Exploitability

The CVSS score of 4.3 places this vulnerability in the medium risk category, while an EPSS less than 1 % indicates a very low likelihood of current exploitation. It does not appear in the CISA KEV catalog. The attack vector is likely via the web application, where a non‑privileged user could submit crafted requests to exposed plugin endpoints. Because the issue arises from incorrect configuration of access‑control security levels, an attacker need not exploit a separate bug; they must merely locate an endpoint that lacks proper authorization checks.

Generated by OpenCVE AI on April 29, 2026 at 19:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Easy Property Listings plugin to a version newer than 3.5.22.
  • Restrict public access to the plugin’s administrative pages or disable functionality that is not required by your site.
  • Temporarily disable the Easy Property Listings plugin until a secure version is installed.

Generated by OpenCVE AI on April 29, 2026 at 19:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Merv Barrett Easy Property Listings easy-property-listings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Property Listings: from n/a through <= 3.5.21. Missing Authorization vulnerability in Merv Barrett Easy Property Listings easy-property-listings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Property Listings: from n/a through <= 3.5.22.
Title WordPress Easy Property Listings plugin <= 3.5.21 - Broken Access Control vulnerability WordPress Easy Property Listings plugin <= 3.5.22 - Broken Access Control vulnerability
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Merv Barrett Easy Property Listings easy-property-listings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Property Listings: from n/a through <= 3.5.15. Missing Authorization vulnerability in Merv Barrett Easy Property Listings easy-property-listings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Property Listings: from n/a through <= 3.5.21.
Title WordPress Easy Property Listings plugin <= 3.5.15 - Broken Access Control vulnerability WordPress Easy Property Listings plugin <= 3.5.21 - Broken Access Control vulnerability

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Tue, 16 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Dec 2025 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Merv Barrett
Merv Barrett easy Property Listings
Wordpress
Wordpress wordpress
Vendors & Products Merv Barrett
Merv Barrett easy Property Listings
Wordpress
Wordpress wordpress

Tue, 16 Dec 2025 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Tue, 16 Dec 2025 08:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Merv Barrett Easy Property Listings easy-property-listings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Property Listings: from n/a through <= 3.5.15.
Title WordPress Easy Property Listings plugin <= 3.5.15 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Merv Barrett Easy Property Listings
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:12.643Z

Reserved: 2025-10-29T03:08:12.203Z

Link: CVE-2025-64242

cve-icon Vulnrichment

Updated: 2025-12-16T17:30:35.992Z

cve-icon NVD

Status : Deferred

Published: 2025-12-16T09:15:53.773

Modified: 2026-04-27T16:16:36.783

Link: CVE-2025-64242

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T19:15:18Z

Weaknesses