Urgent: Critical Privilege Escalation Vulnerability in Realty Portal WordPress Plugin (CVE-2025-11985)

Overview

A high-severity vulnerability, identified as CVE-2025-11985, has been discovered in the Realty Portal plugin for WordPress. This vulnerability allows authenticated attackers with Subscriber-level access (or higher) to escalate their privileges to administrator. Versions 0.1 through 0.4.1 are affected. Immediate action is recommended to mitigate this risk.

Technical Details

The vulnerability stems from a missing capability check on the rp_save_property_settings function. Specifically, the plugin fails to properly validate whether the current user has the necessary permissions before allowing them to modify site options. This function is used to handle AJAX requests related to saving property settings. The lack of proper authorization checks means that an attacker can craft a request to update arbitrary WordPress options, including those controlling user registration and default roles.

The critical weakness lies in the absence of a current_user_can() check (see WordPress documentation) before executing the option update. This allows a user with limited privileges to manipulate core WordPress settings.

Affected Code Snippets (from version 0.1)

• Enqueue function: This highlights the AJAX endpoint used.
• AJAX processing (Part 1): Shows the beginning of the AJAX save function.
• AJAX processing (Part 2): Shows the point where the options are updated without proper authorization.

CVSS Analysis

The Common Vulnerability Scoring System (CVSS) score for CVE-2025-11985 is 8.8 (High).

This score reflects the high impact and exploitability of the vulnerability. The vector likely includes factors such as network access, low attack complexity, and the need for authentication, but the significant damage achievable (complete compromise of the WordPress site) drives the score upwards.

Possible Impact

Successful exploitation of this vulnerability can have severe consequences:

• Privilege Escalation: Attackers can elevate their privileges to administrator, gaining full control over the WordPress site.
• Website Defacement: With administrative access, attackers can modify the website’s content, deface it, or inject malicious code.
• Data Theft: Sensitive data stored on the WordPress site, including user information and database contents, can be accessed and stolen.
• Malware Distribution: The compromised site can be used to distribute malware to visitors.
• Backdoor Installation: Attackers can install backdoors to maintain persistent access to the compromised system, even after the initial vulnerability is patched.

Mitigation and Patch Steps

The most effective way to mitigate this vulnerability is to immediately update the Realty Portal plugin to the latest available version, which should include a fix for CVE-2025-11985. If an update is not yet available, consider temporarily disabling the plugin until a patched version is released.

Additionally, it’s prudent to review user roles and permissions on your WordPress site. Limit the number of users with administrative privileges and monitor user activity for any suspicious behavior.

References

• CVE ID: CVE-2025-11985
• CWE: CWE-862 – Missing Authorization
• WordPress Function: current_user_can()
• Realty Portal Plugin (version 0.1) – Enqueue: Realty Portal Enqueue
• Realty Portal Plugin (version 0.1) – AJAX Save (Part 1): Realty Portal AJAX Save (Part 1)
• Realty Portal Plugin (version 0.1) – AJAX Save (Part 2): Realty Portal AJAX Save (Part 2)
• Wordfence Threat Intelligence: Wordfence Analysis of CVE-2025-11985