CVE-2025-60123: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability (CVE-2025-60123) was discovered in HivePress Claim Listings plugin versions through 1.1.3. The vulnerability was disclosed on September 26, 2025, and was identified by security researcher Bao from BlueRock. The issue allows exploiting incorrectly configured access control security levels in the WordPress plugin (Patchstack, NVD).

The vulnerability is classified as a Broken Access Control issue (CWE-862) with a CVSS v3.1 base score of 4.3 (Medium). The vulnerability vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, indicating network accessibility, low attack complexity, and required low privileges for exploitation. The issue stems from missing authorization checks that could allow unprivileged users to execute higher privileged actions (Patchstack).

The vulnerability has been assessed with a low severity impact, primarily affecting the integrity of the system with no direct impact on confidentiality or availability. The CVSS scoring indicates that while the vulnerability can be exploited remotely, it requires some level of privileges and only results in limited impact to the affected system (Patchstack).

As of the latest reports, no official fix is available for this vulnerability. The security issue has been deemed to have a low severity impact and is considered unlikely to be exploited. Patchstack issued an early warning to their customers on September 26, 2025 (Patchstack).