Attack Vectors
CVE-2025-14892 is a Critical (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) vulnerability affecting the Prime Listing Manager WordPress plugin (prime-listing-manager) in all versions up to and including 1.1.
The primary attack path is simple and does not require a user account: an unauthenticated attacker can target your site over the internet and attempt to change the password of an existing user—most dangerously, an administrator. Once the attacker resets the password, they can log in as that user and take over the account.
From a business-risk perspective, this is especially concerning because it can be exploited without staff interaction (no “click” required) and can lead directly to full administrative control of the website.
Security Weakness
According to the published vulnerability details, Prime Listing Manager does not properly validate a user’s identity before allowing a password update. In practical terms, that means the plugin may accept a password change request without adequately confirming that the request truly comes from the legitimate account owner.
This weakness enables privilege escalation via account takeover: an attacker can change an arbitrary user’s password (including admin users) and then authenticate as that user.
At the time of writing, there is no known patch available. Organizations should evaluate mitigations based on risk tolerance, and it may be safest to uninstall the affected plugin and replace it until a verified fix is released. For reference, the CVE record is available here: https://www.cve.org/CVERecord?id=CVE-2025-14892.
Technical or Business Impacts
If exploited, this vulnerability can result in immediate loss of control over your WordPress site. With an administrator account, an attacker can change site settings, create new admin users, modify content, and potentially introduce additional malicious changes that persist even after the original issue is identified.
Business impacts can include website defacement, fraudulent lead capture forms, SEO spam that damages brand reputation, disruption of marketing campaigns, and potential exposure of customer or prospect data stored in the site or accessible through integrations. This can also trigger compliance and reporting obligations depending on what data is accessible and your regulatory environment.
Because there is no known patch, leadership should treat this as an urgent risk decision. Common mitigations include removing the plugin, limiting administrative access, enforcing strong admin credential hygiene (including MFA where possible), reviewing admin accounts for unexpected changes, and ensuring you have clean, tested backups and an incident response plan ready.
Similar Attacks
Unauthenticated or low-friction privilege escalation in WordPress plugins is a recurring pattern and has been used in real-world campaigns to seize control of sites. Examples include:
Wordfence: WP GDPR Compliance plugin vulnerability exploited (privilege escalation/account takeover)
Recent Comments