CVE-2025-66087 Overview
CVE-2025-66087 is a Missing Authorization vulnerability [CWE-862] affecting the PropertyHive plugin for WordPress. The flaw exists in all versions up to and including 2.1.12. Authenticated users with low privileges can access functionality that should be restricted to higher-privileged accounts due to incorrectly configured access control checks. The issue impacts real estate agencies and property listing sites that rely on PropertyHive to manage listings, contacts, and enquiries.
Critical Impact
Authenticated attackers with minimal privileges can invoke restricted plugin functionality, leading to integrity impact on WordPress sites running PropertyHive <= 2.1.12.
Affected Products
- Property Hive PropertyHive plugin for WordPress
- All versions from n/a through <= 2.1.12
- WordPress installations exposing the plugin's protected endpoints to authenticated users
Discovery Timeline
- 2025-11-21 - CVE-2025-66087 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-66087
Vulnerability Analysis
The vulnerability stems from missing authorization checks within the PropertyHive plugin. The plugin exposes actions and endpoints that fail to validate whether the requesting user holds the required capability before executing sensitive operations. As a result, authenticated users at lower privilege levels can trigger functions intended for administrators or property managers.
The weakness is categorized under CWE-862: Missing Authorization. This class of flaw occurs when application code performs a sensitive action but does not verify the caller's role or capability. In WordPress plugins, the typical failure pattern involves omitting current_user_can() checks or nonce validations on AJAX handlers, REST routes, or admin-post actions.
Attackers exploit the flaw over the network with low complexity. The attack requires an authenticated account, but no user interaction. Successful exploitation affects integrity, allowing unauthorized modification of plugin-managed data. Confidentiality and availability are not directly impacted.
Root Cause
The root cause is an access control gap in the PropertyHive plugin code. Functions handling privileged operations lack capability verification. The plugin trusts that endpoint routing alone enforces access boundaries, which does not hold true in WordPress where any authenticated user can reach many plugin endpoints.
Attack Vector
An attacker authenticates to a vulnerable WordPress site using any account, including Subscriber-level access on sites that permit open registration. The attacker then sends crafted HTTP requests to PropertyHive endpoints that should be restricted. Because authorization is not enforced server-side, the plugin executes the requested action and returns success. See the Patchstack WordPress Vulnerability advisory for technical details on the affected endpoints.
Detection Methods for CVE-2025-66087
Indicators of Compromise
- Unexpected modifications to PropertyHive listings, contacts, or enquiry records performed by low-privileged accounts
- WordPress access logs showing authenticated POST requests to PropertyHive AJAX or admin-post endpoints from Subscriber or Contributor accounts
- New or altered plugin data entries with timestamps that do not correlate with legitimate administrator activity
Detection Strategies
- Audit WordPress user activity logs for actions taken by non-privileged users against propertyhive endpoints
- Compare the installed plugin version against 2.1.12; any version at or below is vulnerable
- Review database changes in PropertyHive tables for entries lacking corresponding administrator sessions
Monitoring Recommendations
- Enable a WordPress audit logging plugin to record all authenticated requests to plugin endpoints
- Forward web server access logs to a centralized log platform and alert on repeated POSTs to PropertyHive routes from low-privileged sessions
- Track plugin version inventory across managed WordPress sites and flag deployments running <= 2.1.12
How to Mitigate CVE-2025-66087
Immediate Actions Required
- Update the PropertyHive plugin to a version above 2.1.12 as soon as the vendor publishes a fixed release
- Restrict user registration on WordPress sites running PropertyHive to reduce the pool of authenticated attackers
- Review existing user accounts and remove unused or untrusted low-privileged users
Patch Information
Refer to the Patchstack advisory for PropertyHive for the latest patch status and fixed version guidance. Administrators should verify the plugin changelog before updating and confirm the release notes reference CVE-2025-66087.
Workarounds
- Disable the PropertyHive plugin until an updated version is installed if the affected functionality is not business-critical
- Deploy a Web Application Firewall rule to block requests to PropertyHive endpoints originating from low-privileged authenticated sessions
- Enforce the principle of least privilege and audit all WordPress role assignments to ensure only trusted users hold elevated capabilities
# Verify installed PropertyHive plugin version via WP-CLI
wp plugin get propertyhive --field=version
# Update PropertyHive once a fixed release is available
wp plugin update propertyhive
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

