Description
Missing Authorization vulnerability in Property Hive PropertyHive propertyhive allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PropertyHive: from n/a through <= 2.1.12.
Published: 2025-11-21
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization issue in the PropertyHive WordPress plugin. It allows attackers to access property content that should be restricted. The description does not mention that the flaw enables code execution, editing or deletion of listings. The weakness is classified as CWE‑862, a lack of proper authorization enforcement.

Affected Systems

WordPress sites running PropertyHive plugin versions 2.1.12 or earlier are affected. The issue originates in the earliest releases and continues through all versions up to and including 2.1.12. Any site that has not upgraded beyond this threshold remains vulnerable.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate impact. EPSS is less than 1%, meaning exploitation in the wild is unlikely at present. The vulnerability is not listed in CISA KEV. The likely attack vector is an attacker who can reach the property pages or administrative interface and can bypass the flawed access controls, possibly by possessing any user account or exploiting a site misconfiguration. No public exploits are documented, but the flaw persists until the plugin is upgraded or access controls are reviewed.

Generated by OpenCVE AI on April 30, 2026 at 05:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest PropertyHive plugin version (greater than 2.1.12).
  • If immediate upgrade is not possible, disable or uninstall the PropertyHive plugin to remove the vulnerable code.
  • Review and tighten WordPress user role capabilities so that only authorized roles can access property management features.
  • Audit and configure the access control settings to ensure only intended users can view property data.

Generated by OpenCVE AI on April 30, 2026 at 05:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 24 Nov 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Propertyhive
Propertyhive propertyhive
Wordpress
Wordpress wordpress
Vendors & Products Propertyhive
Propertyhive propertyhive
Wordpress
Wordpress wordpress

Fri, 21 Nov 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 21 Nov 2025 12:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Property Hive PropertyHive propertyhive allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PropertyHive: from n/a through <= 2.1.12.
Title WordPress PropertyHive plugin <= 2.1.12 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Propertyhive Propertyhive
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:16.481Z

Reserved: 2025-11-21T11:21:04.795Z

Link: CVE-2025-66087

cve-icon Vulnrichment

Updated: 2025-11-21T21:38:15.748Z

cve-icon NVD

Status : Deferred

Published: 2025-11-21T13:15:49.893

Modified: 2026-04-27T18:16:34.793

Link: CVE-2025-66087

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T05:15:28Z

Weaknesses