CVE-2025-69185
Published: 22 January 2026
Summary
CVE-2025-69185 is a high-severity Missing Authorization (CWE-862) vulnerability. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-69185 is a missing authorization vulnerability (CWE-862) in the e-plugins Hotel Listing WordPress plugin (hotel-listing), which allows exploitation of incorrectly configured access control security levels. The issue affects all versions of the plugin from n/a through 1.4.2. It has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction. Successful exploitation enables limited impacts on confidentiality, integrity, and availability, such as unauthorized access to restricted resources or minor disruptions tied to broken access controls.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/hotel-listing/vulnerability/wordpress-hotel-listing-plugin-1-4-2-broken-access-control-vulnerability?_s_id=cve) documents this broken access control issue in Hotel Listing plugin version 1.4.2, providing details relevant to mitigation for WordPress environments. Security practitioners should review it for patching guidance and configuration recommendations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3867
Vulnerability details
Missing Authorization vulnerability in e-plugins Hotel Listing hotel-listing allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hotel Listing: from n/a through <= 1.4.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct mapping to exploitation of a publicly accessible web application (WordPress plugin) via broken access control / missing authorization, enabling remote unauthenticated access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization checks on plugin functions so unauthenticated requests cannot bypass access controls as described in CVE-2025-69185.
Limits privileges assigned to unauthenticated or low-privileged roles, reducing the impact of the missing authorization flaw in the Hotel Listing plugin.
Requires timely remediation of the identified authorization flaw in plugin versions <= 1.4.2, eliminating the root cause of the vulnerability.