{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-1285", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-02-13T17:58:40.682Z", "datePublished": "2025-03-14T04:22:32.126Z", "dateUpdated": "2026-04-08T16:45:53.732Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:45:53.732Z"}, "affected": [{"vendor": "SmartDataSoft", "product": "Resido - Real Estate WordPress Theme", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Resido - Real Estate WordPress Theme theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the delete_api_key and save_api_key AJAX actions in all versions up to, and including, 3.6. This makes it possible for unauthenticated attackers to issue requests to internal services and update API key details."}], "title": "Resido - Real Estate WordPress Theme <= 3.6 - Missing Authorization to Unauthenticated Server-Side Request Forgery and API Key Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3512ce8f-b7a6-4a6f-a141-bca08c183882?source=cve"}, {"url": "https://themeforest.net/item/resido-real-estate-wordpress-theme/31804443"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Lucio S\u00e1"}], "timeline": [{"time": "2025-03-13T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-14T15:12:44.709788Z", "id": "CVE-2025-1285", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-14T15:13:58.496Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1285", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-14T15:12:44.709788Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-14T15:13:45.539Z"}}], "cna": {"title": "Resido - Real Estate WordPress Theme <= 3.6 - Missing Authorization to Unauthenticated Server-Side Request Forgery and API Key Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Lucio S\u00e1"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "SmartDataSoft", "product": "Resido - Real Estate WordPress Theme", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-03-13T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3512ce8f-b7a6-4a6f-a141-bca08c183882?source=cve"}, {"url": "https://themeforest.net/item/resido-real-estate-wordpress-theme/31804443"}], "descriptions": [{"lang": "en", "value": "The Resido - Real Estate WordPress Theme theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the delete_api_key and save_api_key AJAX actions in all versions up to, and including, 3.6. This makes it possible for unauthenticated attackers to issue requests to internal services and update API key details."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:45:53.732Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1285", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:45:53.732Z", "dateReserved": "2025-02-13T17:58:40.682Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-03-14T04:22:32.126Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Resido - Real Estate WordPress Theme theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the delete_api_key and save_api_key AJAX actions in all versions up to, and including, 3.6. This makes it possible for unauthenticated attackers to issue requests to internal services and update API key details."}, {"lang": "es", "value": "El tema Resido - Real Estate WordPress Theme para WordPress es vulnerable a accesos no autorizados debido a la falta de comprobaci\u00f3n de capacidad en las acciones AJAX delete_api_key y save_api_key en todas las versiones hasta la 3.6 incluida. Esto permite que atacantes no autenticados env\u00eden solicitudes a servicios internos y actualicen la informaci\u00f3n de la clave API."}], "id": "CVE-2025-1285", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-03-14T05:15:41.977", "references": [{"source": "security@wordfence.com", "url": "https://themeforest.net/item/resido-real-estate-wordpress-theme/31804443"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3512ce8f-b7a6-4a6f-a141-bca08c183882?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T21:57:17.358456+00:00", "value": {"mitigation_remediation": ["Update the Resido theme to the latest available version that implements a capability check on the delete_api_key and save_api_key AJAX actions.", "If an immediate theme upgrade is not possible, add a capability verification to those AJAX endpoints, or restrict access to logged\u2011in users with an appropriate role or permission level.", "As an interim workaround, disable or remove the API key functionality from the theme until a patch is applied, reducing the attack surface."], "summary": {"action": "Upgrade", "impact": "Unauthorized modification of API keys via unauthenticated AJAX actions, enabling server\u2011side request forgery and potential internal service abuse"}, "threat_synthesis": {"affected_systems": "Any WordPress installation using the SmartDataSoft Resido theme version 3.6 or earlier is vulnerable. The issue resides in the listed themelist and is not limited to a specific sub\u2011plugin or configuration variant.", "description_and_impact": "The Resido real\u2011estate WordPress theme allows unauthenticated users to call the delete_api_key and save_api_key AJAX actions without a capability check. This omission permits attackers to send requests to internal services and alter the API key settings of the site, effectively bypassing authorized controls and exposing sensitive credentials or facilitating further access through internal network resources.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% shows a low likelihood of exploitation in the wild. The vulnerability is not yet listed in CISA's KEV catalog, suggesting that large\u2011scale attacks are not currently observed. Attackers would need only to craft unauthenticated AJAX requests targeting the vulnerable theme\u2019s endpoints, a simple technique that can be automated if the vulnerability is publicly known."}}}}, "created": "2026-04-21T22:00:26.599729+00:00", "updated": "2026-04-21T22:00:26.599739+00:00", "vendors": []}