Attack Vectors

ListingPro Reviews (WordPress plugin slug: listingpro-reviews) versions prior to 2.9.11 contain a Medium-severity missing authorization issue (CVSS 5.4, CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) tracked as CVE-2025-58667.

The practical attack path is straightforward: an attacker needs an authenticated WordPress account (subscriber-level access or higher). With that low level of access, they may be able to trigger the affected plugin function remotely over the network without additional user interaction, enabling an unauthorized action within the plugin’s scope.

Security Weakness

This issue is caused by a missing capability check (an authorization control that verifies whether the current user is allowed to perform a sensitive action). When capability checks are absent or incomplete, WordPress may accept requests from users who are logged in but should not have permission to execute the underlying operation.

In business terms, this is a “broken access control” problem: the site correctly identifies the user as logged in, but fails to enforce what that user is allowed to do inside ListingPro Reviews.

Reference: Wordfence advisory source at Wordfence Threat Intelligence.

Technical or Business Impacts

Because the vulnerability allows unauthorized actions by low-privilege authenticated users, the likely impact is limited data exposure and limited data manipulation (consistent with the CVSS confidentiality and integrity ratings of Low). Even when the technical impact is “limited,” the business impact can still be meaningful if the affected action touches customer-facing content, reviews, listings, or site trust signals.

Potential outcomes for marketing leaders and executives include reputational harm (customers seeing unexpected changes), loss of confidence in review integrity, added operational burden for incident response and cleanup, and possible compliance concerns if any exposed data is considered regulated or sensitive in your jurisdiction or contractual environment.

Remediation: update ListingPro Reviews to version 2.9.11 or a newer patched release. After updating, review user accounts (especially subscriber-level accounts), rotate passwords where appropriate, and validate that no unauthorized changes were made during the exposure window.

Similar attacks: access-control weaknesses have been exploited in other widely used platforms, including WordPress-related issues such as CVE-2017-1001000 (WordPress REST API content injection) and high-profile privilege-related flaws like CVE-2020-1472 (Zerologon).