Refine your search
1 vulnerability found for IMITHEMES Listing by imithemes
CVE-2025-2253 (GCVE-0-2025-2253)
Vulnerability from cvelistv5
Published
2025-05-09 06:42
Modified
2026-04-08 16:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-620 - Unverified Password Change
Summary
The IMITHEMES Listing plugin is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3. This is due to the plugin not properly validating a verification code value prior to updating their password through the imic_reset_password_init() function. This makes it possible for unauthenticated attackers to change any user's passwords, including administrators if the users email is known.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| imithemes | IMITHEMES Listing |
Version: 0 ≤ 3.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2253",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-09T15:41:05.476145Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-09T15:41:25.960Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "IMITHEMES Listing",
"vendor": "imithemes",
"versions": [
{
"lessThanOrEqual": "3.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alyudin Nafiie"
}
],
"descriptions": [
{
"lang": "en",
"value": "The IMITHEMES Listing plugin is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3. This is due to the plugin not properly validating a verification code value prior to updating their password through the imic_reset_password_init() function. This makes it possible for unauthenticated attackers to change any user\u0027s passwords, including administrators if the users email is known."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-620",
"description": "CWE-620 Unverified Password Change",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:51:52.808Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4ed0ea4a-9cbf-4033-a31f-6cb954e8ce01?source=cve"
},
{
"url": "https://themeforest.net/item/auto-stars-car-dealership-listings-wp-theme/11560490"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-05-08T17:58:04.000Z",
"value": "Disclosed"
}
],
"title": "IMITHEMES Listing \u003c= 3.3 - Unauthenticated Privilege Escalation via Unverified Password Reset"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-2253",
"datePublished": "2025-05-09T06:42:35.358Z",
"dateReserved": "2025-03-12T14:44:35.469Z",
"dateUpdated": "2026-04-08T16:51:52.808Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}