CVE-2025-2253CRITICAL 9.8EPSS p48.3%

CVE-2025-2253CVE-2025-2253

Description

The IMITHEMES Listing plugin is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3. This is due to the plugin not properly validating a verification code value prior to updating their password through the imic_reset_password_init() function. This makes it possible for unauthenticated attackers to change any user's passwords, including administrators if the users email is known.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.70% probability of exploitation · percentile 48.3% · 2026-06-19T12:03:05Z
Published2025-05-09
Last modified2026-04-15

Underlying weaknesses· 1

CWE-620

References

  1. https://themeforest.net/item/auto-stars-car-dealership-listings-wp-theme/11560490
  2. https://www.wordfence.com/threat-intel/vulnerabilities/id/4ed0ea4a-9cbf-4033-a31f-6cb954e8ce01?source=cve

1

TypeTargetConfidenceTier
WeaknessUnverified Password Changecwe-6200%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-4322
CVE
CVE-2025-15030
CVE
CVE-2025-3101
CVE
CVE-2025-14975
CVE
CVE-2025-3607
CVE
CVE-2025-2526
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.