Description
Missing Authorization vulnerability in Merv Barrett Easy Property Listings easy-property-listings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Property Listings: from n/a through <= 3.5.20.
Published: 2026-01-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data access or modification
Action: Patch
AI Analysis

Impact

The vulnerability is a missing authorization flaw in the Easy Property Listings plugin, allowing attackers to exploit incorrectly configured access control levels. This broken access control can enable an unauthenticated or low‑privilege user to view, modify, or delete property listings, jeopardizing site data confidentiality, integrity, and availability. The flaw is categorized as CWE-862.

Affected Systems

Merv Barrett Easy Property Listings plugin for WordPress, versions up to and including 3.5.20. Any WordPress installation running one of those plugin versions is susceptible unless the plugin is upgraded or its access level settings are corrected.

Risk and Exploitability

The reported CVSS score of 6.5 indicates moderate impact, and the EPSS score of less than 1% suggests a very low current exploitation probability. The flaw is not listed in the CISA KEV inventory. Attackers can reach the vulnerability through the public web interface, typically by logging into any standard user account; because the plugin fails to enforce proper authorization, that user can perform privileged actions such as editing or deleting listings.

Generated by OpenCVE AI on April 28, 2026 at 09:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Easy Property Listings to version 3.5.21 or later.
  • Restrict property‑management capabilities so that only administrators can create, edit, or delete listings, removing or revoking these permissions from non‑admin roles.
  • If an immediate upgrade is not possible, temporarily deactivate the Easy Property Listings plugin until a patched version is available to prevent unauthorized access.

Generated by OpenCVE AI on April 28, 2026 at 09:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Merv Barrett Easy Property Listings easy-property-listings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Property Listings: from n/a through <= 3.5.17. Missing Authorization vulnerability in Merv Barrett Easy Property Listings easy-property-listings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Property Listings: from n/a through <= 3.5.20.
Title WordPress Easy Property Listings plugin <= 3.5.17 - Broken Access Control vulnerability WordPress Easy Property Listings plugin <= 3.5.20 - Broken Access Control vulnerability

Wed, 28 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Merv Barrett
Merv Barrett easy Property Listings
Wordpress
Wordpress wordpress
Vendors & Products Merv Barrett
Merv Barrett easy Property Listings
Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Merv Barrett Easy Property Listings easy-property-listings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Property Listings: from n/a through <= 3.5.17.
Title WordPress Easy Property Listings plugin <= 3.5.17 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Merv Barrett Easy Property Listings
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:58:03.481Z

Reserved: 2025-12-15T10:01:24.072Z

Link: CVE-2025-68072

cve-icon Vulnrichment

Updated: 2026-01-28T15:38:55.019Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:09.993

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-68072

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T10:00:06Z

Weaknesses