CVE-2025-2253: IMITHEMES Listing <= 3.3 - Unauthenticated Privilege Escalation via Unverified Password Reset

9.8 CVSS

Description

The IMITHEMES Listing plugin is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3. This is due to the plugin not properly validating a verification code value prior to updating their password through the imic_reset_password_init() function. This makes it possible for unauthenticated attackers to change any user's passwords, including administrators if the users email is known.

Classification

CVE ID: CVE-2025-2253

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem Types

CWE-620 Unverified Password Change

Affected Products

Vendor: imithemes

Product: IMITHEMES Listing

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.07% (probability of being exploited)

EPSS Percentile: 22.88% (scored less or equal to compared to others)

EPSS Date: 2025-06-07 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-2253
https://www.wordfence.com/threat-intel/vulnerabilities/id/4ed0ea4a-9cbf-4033-a31f-6cb954e8ce01?source=cve
https://themeforest.net/item/auto-stars-car-dealership-listings-wp-theme/11560490

Timeline

2025-05-09 07:40:14 UTC
CVE

IMITHEMES Listing <= 3.3 - Unauthenticated Privilege Escalation via Unverified Password Reset