CVE-2025-69191
Published: 22 January 2026
Summary
CVE-2025-69191 is a high-severity Missing Authorization (CWE-862) vulnerability. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-69191 is a missing authorization vulnerability (CWE-862) in the ListingHub WordPress plugin by e-plugins. The flaw enables exploitation of incorrectly configured access control security levels and affects all versions of the plugin up to and including 1.2.7. Published on 2026-01-22, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation allows limited impacts on confidentiality, integrity, and availability, such as unauthorized access to certain plugin functions or data due to broken access controls.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/listinghub/vulnerability/wordpress-listinghub-plugin-1-2-7-broken-access-control-vulnerability?_s_id=cve provides details on the broken access control issue in ListingHub version 1.2.7.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3898
Vulnerability details
Missing Authorization vulnerability in e-plugins ListingHub listinghub allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ListingHub: from n/a through <= 1.2.7.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization (CWE-862) in public-facing WordPress plugin directly enables remote unauthenticated exploitation of access controls per T1190.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization checks on plugin functions and data, preventing the missing-authorization flaw from allowing unauthenticated access.
Restricts privileges to only those required, limiting the impact of any incorrectly configured or missing access controls in the plugin.
Requires timely remediation of the identified authorization flaw in ListingHub versions <= 1.2.7 via patching or removal.