{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-4601", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-12T17:44:22.374Z", "datePublished": "2025-06-10T03:41:38.102Z", "dateUpdated": "2026-04-08T17:13:49.609Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:13:49.609Z"}, "affected": [{"vendor": "InspiryThemes", "product": "RH - Real Estate WordPress Theme", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.4.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The \"RH - Real Estate WordPress Theme\" theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 4.4.0. This is due to the theme not properly restricting user roles that can be updated as part of the inspiry_update_profile() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to set their role to that of an administrator. The vulnerability was partially patched in version 4.4.0, and fully patched in version 4.4.1."}], "title": "RH - Real Estate WordPress Theme <= 4.4.0 - Authenticated (Subscriber+) Privilege Escalation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a816e5a8-2494-4bcf-869d-5214b21f7791?source=cve"}, {"url": "https://themeforest.net/item/real-homes-wordpress-real-estate-theme/5373914"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-269 Improper Privilege Management", "cweId": "CWE-269", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Th\u00e1i An"}], "timeline": [{"time": "2025-06-09T14:53:33.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-10T14:09:38.618183Z", "id": "CVE-2025-4601", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-10T14:10:12.864Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-4601", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-06-10T14:09:38.618183Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-10T14:10:09.978Z"}}], "cna": {"title": "RH - Real Estate WordPress Theme <= 4.4.0 - Authenticated (Subscriber+) Privilege Escalation", "credits": [{"lang": "en", "type": "finder", "value": "Th\u00e1i An"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "InspiryThemes", "product": "RH - Real Estate WordPress Theme", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.4.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-06-09T14:53:33.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a816e5a8-2494-4bcf-869d-5214b21f7791?source=cve"}, {"url": "https://themeforest.net/item/real-homes-wordpress-real-estate-theme/5373914"}], "descriptions": [{"lang": "en", "value": "The \"RH - Real Estate WordPress Theme\" theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 4.4.0. This is due to the theme not properly restricting user roles that can be updated as part of the inspiry_update_profile() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to set their role to that of an administrator. The vulnerability was partially patched in version 4.4.0, and fully patched in version 4.4.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:13:49.609Z"}}}, "cveMetadata": {"cveId": "CVE-2025-4601", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:13:49.609Z", "dateReserved": "2025-05-12T17:44:22.374Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-06-10T03:41:38.102Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The \"RH - Real Estate WordPress Theme\" theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 4.4.0. This is due to the theme not properly restricting user roles that can be updated as part of the inspiry_update_profile() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to set their role to that of an administrator. The vulnerability was partially patched in version 4.4.0, and fully patched in version 4.4.1."}, {"lang": "es", "value": "El tema \"RH - Tema WordPress para Bienes Ra\u00edces\" para WordPress es vulnerable a la escalada de privilegios en todas las versiones hasta la 4.4.0 incluida. Esto se debe a que el tema no restringe correctamente los roles de usuario que se pueden actualizar mediante la funci\u00f3n inspiry_update_profile(). Esto permite que atacantes autenticados, con acceso de suscriptor o superior, configuren su rol como administrador. La vulnerabilidad se corrigi\u00f3 parcialmente en la versi\u00f3n 4.4.0 y completamente en la 4.4.1."}], "id": "CVE-2025-4601", "lastModified": "2025-06-12T16:06:39.330", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-06-10T04:15:49.113", "references": [{"source": "security@wordfence.com", "url": "https://themeforest.net/item/real-homes-wordpress-real-estate-theme/5373914"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a816e5a8-2494-4bcf-869d-5214b21f7791?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{}