CVE-2025-2232 - Vulnerability Details

- Realteo - Real Estate Plugin by Purethemes <= 1.2.8 - Authentication Bypass via 'do_register_user'

Description

The Realteo - Real Estate Plugin by Purethemes plugin for WordPress, used by the Findeo Theme, is vulnerable to authentication bypass in all versions up to, and including, 1.2.8. This is due to insufficient role restrictions in the 'do_register_user' function. This makes it possible for unauthenticated attackers to register an account with the Administrator role.

Published: 2025-03-14

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Realteo plugin for WordPress allows any unauthenticated user to register an account with Administrator privileges because the do_register_user function does not restrict role assignment. The vulnerability is a classic authentication bypass that gives a malicious actor full site control, including content creation, user management, and potential data exfiltration. The weakness is categorized as CWE‑269: Improper Restriction of Excessive Privileges.

Affected Systems

Users of the PureThemes Realteo plugin, version 1.2.8 or earlier, on WordPress installations that employ the Findeo theme, are susceptible. The plugin’s role handling flaw exists across all affected releases, with no service or environment constraints documented.

Risk and Exploitability

The CVSS score of 9.8 classifies this as a critical flaw, and although the EPSS score is currently below 1 %, the vulnerability remains exploitable because the attack requires only a web request to the public registration endpoint and no authentication credentials. The lack of CISA KEV listing does not diminish the potential impact; any site using a vulnerable plugin version can be compromised at any time.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

PureThemes

Realteo

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.2.8

Configuration 1 [-]

cpe:2.3:a:purethemes:realteo:*:*:*:*:*:wordpress:*:*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Realteo plugin to the latest version, which removes the role‑by‑user functionality or corrects the role assignment logic.
If an upgrade is not immediately possible, limit access to the registration endpoint by firewall rules or by disabling public registration in WordPress settings, then manually set new user roles to non‑admin.
Continuously monitor the WordPress user database for newly created Administrator accounts and audit any unexpected changes to user roles.

Generated by OpenCVE AI on April 20, 2026 at 23:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-6416	The Realteo - Real Estate Plugin by Purethemes plugin for WordPress, used by the Findeo Theme, is vulnerable to authentication bypass in all versions up to, and including, 1.2.8. This is due to insufficient role restrictions in the 'do_register_user' function. This makes it possible for unauthenticated attackers to register an account with the Administrator role.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00884.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://docs.purethemes.net/findeo/knowledge-base/changelog-findeo/
https://www.wordfence.com/threat-intel/vulnerabilities/id/abe73ecd-1325-4d6d-8545-d27f6116ca43?source=cve

History

Mon, 14 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00242}`	epss `{'score': 0.003}`

Tue, 25 Mar 2025 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Purethemes Purethemes realteo
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:purethemes:realteo::::::wordpress::*
Vendors & Products		Purethemes Purethemes realteo

Fri, 14 Mar 2025 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 14 Mar 2025 11:30:00 +0000

Type	Values Removed	Values Added
Description		The Realteo - Real Estate Plugin by Purethemes plugin for WordPress, used by the Findeo Theme, is vulnerable to authentication bypass in all versions up to, and including, 1.2.8. This is due to insufficient role restrictions in the 'do_register_user' function. This makes it possible for unauthenticated attackers to register an account with the Administrator role.
Title		Realteo - Real Estate Plugin by Purethemes <= 1.2.8 - Authentication Bypass via 'do_register_user'
Weaknesses		CWE-269
References		https://docs.purethemes.net/findeo/knowledge-base/changelog-findeo/ https://www.wordfence.com/threat-intel/vulnerabilities/id/abe73ecd-1325-4d6d-8545-d27f6116ca43?source=cve
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Purethemes Realteo

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-03-14T11:15:52.827Z

Updated: 2026-04-08T17:14:44.752Z

Reserved: 2025-03-11T22:28:58.175Z

Link: CVE-2025-2232

Vulnrichment

Updated: 2025-03-14T12:42:23.992Z

NVD

Status : Analyzed

Published: 2025-03-14T12:15:14.887

Modified: 2025-03-25T20:13:28.670

Link: CVE-2025-2232

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-20T23:45:21Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object