CVE-2025-6994 - Vulnerability Details

- Reveal Listing <= 3.3 - Unauthenticated Privilege Escalation

Description

The Reveal Listing plugin by smartdatasoft for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.3. This is due to the plugin allowing users who are registering new accounts to set their own role or by supplying 'listing_user_role' field. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the administrator role.

Published: 2025-08-06

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability in Reveal Listing allows anyone who can register a new account to assign themselves the administrator role. This bypasses normal WordPress role restrictions and gives full control over the site, including changing themes, installing plugins, and accessing sensitive data. The weakness is an improper privilege management flaw, identified as CWE‑269.

Affected Systems

SmartDataSoft’s Reveal Listing WordPress theme is affected in all releases version 3.3 and earlier. WordPress sites that have the plugin installed and still allow open registration are susceptible. No other versions or products are listed.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity, while the EPSS score of less than 1 % shows a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by simply submitting a registration request with the "listing_user_role" parameter set to an administrative role, requiring no credentials. Once the account is created, the attacker has full administrative privileges.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SmartDataSoft

Reveal Listing

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.3

No data.

Vendor	Product	Confidence	Versions
Smartdatasoft	Reveal Listing	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Reveal Listing to the latest version that removes the role selection parameter
If unable to update immediately, disable public user registration or limit the registration role to a non‑privileged default
Review user accounts for unexpected administrator entries and revoke any that were created with elevated privileges

Generated by OpenCVE AI on April 20, 2026 at 19:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-23782	The Reveal Listing plugin by smartdatasoft for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.3. This is due to the plugin allowing users who are registering new accounts to set their own role or by supplying 'listing_user_role' field. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the administrator role.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00266.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://themeforest.net/item/reveal-directory-listing-wordpress-theme/27704330
https://www.wordfence.com/threat-intel/vulnerabilities/id/cd00d716-535c-41eb-a766-82079e0060e6?source=cve

History

Wed, 06 Aug 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 06 Aug 2025 08:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Smartdatasoft Smartdatasoft reveal Listing Wordpress Wordpress wordpress
Vendors & Products		Smartdatasoft Smartdatasoft reveal Listing Wordpress Wordpress wordpress

Wed, 06 Aug 2025 04:00:00 +0000

Type	Values Removed	Values Added
Description		The Reveal Listing plugin by smartdatasoft for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.3. This is due to the plugin allowing users who are registering new accounts to set their own role or by supplying 'listing_user_role' field. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the administrator role.
Title		Reveal Listing <= 3.3 - Unauthenticated Privilege Escalation
Weaknesses		CWE-269
References		https://themeforest.net/item/reveal-directory-listing-wordpress-theme/27704330 https://www.wordfence.com/threat-intel/vulnerabilities/id/cd00d716-535c-41eb-a766-82079e0060e6?source=cve
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Smartdatasoft Reveal Listing

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-08-06T03:41:01.031Z

Updated: 2026-04-08T17:23:56.955Z

Reserved: 2025-07-01T21:35:42.219Z

Link: CVE-2025-6994

Vulnrichment

Updated: 2025-08-06T19:29:18.550Z

NVD

Status : Deferred

Published: 2025-08-06T04:16:20.197

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-6994

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-20T20:00:10Z

Weaknesses

CWE-269

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object