Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-66087

CVE-2025-66087: PropertyHive Auth Bypass Vulnerability

CVE-2025-66087 is an authorization bypass flaw in PropertyHive that allows attackers to exploit misconfigured access controls. This article covers the technical details, affected versions up to 2.1.12, and mitigation.

Published:

CVE-2025-66087 Overview

CVE-2025-66087 is a Missing Authorization vulnerability [CWE-862] affecting the PropertyHive plugin for WordPress. The flaw exists in all versions up to and including 2.1.12. Authenticated users with low privileges can access functionality that should be restricted to higher-privileged accounts due to incorrectly configured access control checks. The issue impacts real estate agencies and property listing sites that rely on PropertyHive to manage listings, contacts, and enquiries.

Critical Impact

Authenticated attackers with minimal privileges can invoke restricted plugin functionality, leading to integrity impact on WordPress sites running PropertyHive <= 2.1.12.

Affected Products

  • Property Hive PropertyHive plugin for WordPress
  • All versions from n/a through <= 2.1.12
  • WordPress installations exposing the plugin's protected endpoints to authenticated users

Discovery Timeline

  • 2025-11-21 - CVE-2025-66087 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-66087

Vulnerability Analysis

The vulnerability stems from missing authorization checks within the PropertyHive plugin. The plugin exposes actions and endpoints that fail to validate whether the requesting user holds the required capability before executing sensitive operations. As a result, authenticated users at lower privilege levels can trigger functions intended for administrators or property managers.

The weakness is categorized under CWE-862: Missing Authorization. This class of flaw occurs when application code performs a sensitive action but does not verify the caller's role or capability. In WordPress plugins, the typical failure pattern involves omitting current_user_can() checks or nonce validations on AJAX handlers, REST routes, or admin-post actions.

Attackers exploit the flaw over the network with low complexity. The attack requires an authenticated account, but no user interaction. Successful exploitation affects integrity, allowing unauthorized modification of plugin-managed data. Confidentiality and availability are not directly impacted.

Root Cause

The root cause is an access control gap in the PropertyHive plugin code. Functions handling privileged operations lack capability verification. The plugin trusts that endpoint routing alone enforces access boundaries, which does not hold true in WordPress where any authenticated user can reach many plugin endpoints.

Attack Vector

An attacker authenticates to a vulnerable WordPress site using any account, including Subscriber-level access on sites that permit open registration. The attacker then sends crafted HTTP requests to PropertyHive endpoints that should be restricted. Because authorization is not enforced server-side, the plugin executes the requested action and returns success. See the Patchstack WordPress Vulnerability advisory for technical details on the affected endpoints.

Detection Methods for CVE-2025-66087

Indicators of Compromise

  • Unexpected modifications to PropertyHive listings, contacts, or enquiry records performed by low-privileged accounts
  • WordPress access logs showing authenticated POST requests to PropertyHive AJAX or admin-post endpoints from Subscriber or Contributor accounts
  • New or altered plugin data entries with timestamps that do not correlate with legitimate administrator activity

Detection Strategies

  • Audit WordPress user activity logs for actions taken by non-privileged users against propertyhive endpoints
  • Compare the installed plugin version against 2.1.12; any version at or below is vulnerable
  • Review database changes in PropertyHive tables for entries lacking corresponding administrator sessions

Monitoring Recommendations

  • Enable a WordPress audit logging plugin to record all authenticated requests to plugin endpoints
  • Forward web server access logs to a centralized log platform and alert on repeated POSTs to PropertyHive routes from low-privileged sessions
  • Track plugin version inventory across managed WordPress sites and flag deployments running <= 2.1.12

How to Mitigate CVE-2025-66087

Immediate Actions Required

  • Update the PropertyHive plugin to a version above 2.1.12 as soon as the vendor publishes a fixed release
  • Restrict user registration on WordPress sites running PropertyHive to reduce the pool of authenticated attackers
  • Review existing user accounts and remove unused or untrusted low-privileged users

Patch Information

Refer to the Patchstack advisory for PropertyHive for the latest patch status and fixed version guidance. Administrators should verify the plugin changelog before updating and confirm the release notes reference CVE-2025-66087.

Workarounds

  • Disable the PropertyHive plugin until an updated version is installed if the affected functionality is not business-critical
  • Deploy a Web Application Firewall rule to block requests to PropertyHive endpoints originating from low-privileged authenticated sessions
  • Enforce the principle of least privilege and audit all WordPress role assignments to ensure only trusted users hold elevated capabilities
bash
# Verify installed PropertyHive plugin version via WP-CLI
wp plugin get propertyhive --field=version

# Update PropertyHive once a fixed release is available
wp plugin update propertyhive

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.