The IMITHEMES Listing plugin is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3. This is due to the plugin not properly validating a verification code value prior to updating their password through the imic_reset_password_init() function. This makes it possible for unauthenticated attackers to change any users passwords, including administrators if the users email is known.
When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.