Description
The Realty Portal – Agent plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within the rp_user_profile() AJAX handler in versions 0.1.0 through 0.3.9. The handler reads the client-supplied meta key and value pairs from $_POST and passes them directly to update_user_meta() without restricting to a safe whitelist. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the wp_capabilities meta and grant themselves the administrator role.
Published: 2025-07-23
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

The Realty Portal – Agent plugin for WordPress contains a missing authorization check in the rp_user_profile() AJAX handler for versions 0.1.0 through 0.3.9. The handler accepts client‑supplied meta key/value pairs from $_POST and passes them directly to update_user_meta() without restricting to a safe whitelist. This allows any authenticated user with Subscriber-level access or higher to overwrite the wp_capabilities meta field and grant themselves the administrator role, effectively taking full control of the site.

Affected Systems

This issue affects the Realty Portal – Agent plugin, published by Nootheme, in WordPress installations that use plugin versions 0.1.0 to 0.3.9. Users of later releases are not impacted unless the vulnerability has been reintroduced.

Risk and Exploitability

The flaw carries a CVSS score of 8.8, indicating a high‑severity issue. The EPSS score is less than 1%, suggesting a low probability of exploitation in the wild, and it is not listed in the CISA KEV catalog. The attack requires the attacker to be authenticated but only at the Subscriber level, which many websites grant to regular users. Once authenticated, the attacker can trigger the AJAX request to elevate privileges to administrator, leading to full control over the site, potential data exfiltration, and modification of site settings.

Generated by OpenCVE AI on April 20, 2026 at 22:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Realty Portal – Agent plugin to a version that removes the missing authorization check, such as the latest release available from the vendor.
  • Add a firewall or role‑based rule to block authenticated users from accessing the rp_user_profile() AJAX endpoint, ensuring that only administrators can invoke it.
  • If an update cannot be applied immediately, manually modify the plugin’s rp_user_profile() function to validate or hard‑code allowed meta keys, or disable the endpoint altogether.

Generated by OpenCVE AI on April 20, 2026 at 22:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-22401 The Realty Portal – Agent plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within the rp_user_profile() AJAX handler in versions 0.1.0 through 0.3.9. The handler reads the client-supplied meta key and value pairs from $_POST and passes them directly to update_user_meta() without restricting to a safe whitelist. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the wp_capabilities meta and grant themselves the administrator role.
History

Wed, 23 Jul 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 23 Jul 2025 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 23 Jul 2025 02:45:00 +0000

Type Values Removed Values Added
Description The Realty Portal – Agent plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within the rp_user_profile() AJAX handler in versions 0.1.0 through 0.3.9. The handler reads the client-supplied meta key and value pairs from $_POST and passes them directly to update_user_meta() without restricting to a safe whitelist. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the wp_capabilities meta and grant themselves the administrator role.
Title Realty Portal – Agent <= 0.3.9 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation via rp_user_profile() Function
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:16:43.116Z

Reserved: 2025-06-16T21:52:52.243Z

Link: CVE-2025-6190

cve-icon Vulnrichment

Updated: 2025-07-23T18:28:52.660Z

cve-icon NVD

Status : Deferred

Published: 2025-07-23T03:15:24.963

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-6190

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T22:15:06Z

Weaknesses