Description
The Reales WP STPT plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.1.2. This is due to the plugin not properly validating a user's identity prior to updating their details like password. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's passwords and email addresses, including administrators, and leverage that to gain access to their account. This can be combined with CVE-2025-3609 to achieve remote code execution as an originally unauthenticated user with no account.
Published: 2025-05-06
Score: 8.8 High
EPSS: 1.4% Low
KEV: No
Impact: Privilege Escalation via account takeover
Action: Apply Patch
AI Analysis

Impact

The Reales WP STPT plugin for WordPress allows authenticated attackers with subscriber or higher privileges to update the passwords and email addresses of any user, including administrators, because the plugin fails to verify the identity of the requestor before making the changes. This flaw leads to a full account takeover and can be exploited to gain control of administrative accounts, resulting in a compromise of the entire WordPress site. The weakness is mapped to CWE‑639, Insufficient Verification of User Credentials.

Affected Systems

All installations of the Reales WP STPT plugin by pixel_prime that use version 2.1.2 or older are affected. The issue exists in WordPress sites running these plugin versions, regardless of the overall WordPress core version.

Risk and Exploitability

The vulnerability has a CVSS score of 8.8 and an EPSS score of 1%, indicating a high severity and a low but non‑zero probability of exploitation. Because the attack vector requires an authenticated user with at least subscriber privileges, an attacker first needs to obtain valid credentials or be a legitimate user. Once authenticated, the attacker can change any user's password and email address, enabling them to take over administrative accounts. Additionally, when combined with CVE‑2025‑3609, a remote code execution path becomes possible for an unauthenticated user. The flaw is not listed in CISA’s KEV catalog.

Generated by OpenCVE AI on April 21, 2026 at 20:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Reales WP STPT plugin to a version newer than 2.1.2.
  • If an upgrade cannot be performed immediately, remove or deactivate the plugin to prevent unauthorized password changes.
  • Restrict subscriber-level access by tightening role capabilities and enforcing strong password policies for administrators.

Generated by OpenCVE AI on April 21, 2026 at 20:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13394 The Reales WP STPT plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.1.2. This is due to the plugin not properly validating a user's identity prior to updating their details like password. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's passwords and email addresses, including administrators, and leverage that to gain access to their account. This can be combined with CVE-2025-3609 to achieve remote code execution as an originally unauthenticated user with no account.
History

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00212}

 epss

{'score': 0.00247}

Tue, 06 May 2025 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 06 May 2025 02:30:00 +0000

Type Values Removed Values Added
Description The Reales WP STPT plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.1.2. This is due to the plugin not properly validating a user's identity prior to updating their details like password. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's passwords and email addresses, including administrators, and leverage that to gain access to their account. This can be combined with CVE-2025-3609 to achieve remote code execution as an originally unauthenticated user with no account.
Title Reales WP STPT <= 2.1.2 - Authenticated (Subscriber+) Privilege Escalation via Password Update
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:46:36.409Z

Reserved: 2025-04-14T20:19:19.334Z

Link: CVE-2025-3610

cve-icon Vulnrichment

Updated: 2025-05-06T02:37:14.154Z

cve-icon NVD

Status : Deferred

Published: 2025-05-06T03:15:17.777

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-3610

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:00:36Z

Weaknesses