CVE-2025-69190
Published: 22 January 2026
Summary
CVE-2025-69190 is a high-severity Missing Authorization (CWE-862) vulnerability. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-24 (Access Control Decisions).
Deeper analysis
CVE-2025-69190 is a missing authorization vulnerability (CWE-862) in the Listihub WordPress theme developed by e-plugins. The issue, which involves exploiting incorrectly configured access control security levels, affects Listihub versions from n/a through 1.0.6. Published on 2026-01-22, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation grants limited access, resulting in low impacts to confidentiality, integrity, and availability.
The Patchstack advisory provides further details on this broken access control vulnerability in the Listihub WordPress theme version 1.0.6 at https://patchstack.com/database/Wordpress/Theme/listihub/vulnerability/wordpress-listihub-theme-1-0-6-broken-access-control-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3880
Vulnerability details
Missing Authorization vulnerability in e-plugins Listihub listihub allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Listihub: from n/a through <= 1.0.6.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization (broken access control) in public-facing WordPress theme directly enables remote unauthenticated exploitation of the application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization checks before allowing access to Listihub functions, preventing the missing-authorization exploitation described in CVE-2025-69190.
Requires that only the minimum necessary privileges are granted, limiting the impact of any incorrectly configured access control levels in the theme.
Ensures access control decisions are made and enforced consistently, addressing the incorrectly configured security levels that enable the unauthenticated attack.