CVE-2025-2253

Name of the Vulnerable Software and Affected Versions IMITHEMES Listing plugin versions up to, and including, 3.3

Description The issue is related to privilege escalation via account takeover. This is due to the plugin not properly validating a verification code value prior to updating a user's password through the imic reset password init() function. This makes it possible for unauthenticated attackers to change any user's passwords, including administrators, if the user's email is known.

Recommendations For IMITHEMES Listing plugin versions up to, and including, 3.3, consider disabling the imic reset password init() function until a patch is available to prevent unauthenticated attackers from changing user passwords. Restrict access to password reset functionality to minimize the risk of exploitation. Avoid using the password reset feature until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.