{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-3609", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-04-14T20:16:57.211Z", "datePublished": "2025-05-06T01:42:44.208Z", "dateUpdated": "2026-04-08T17:34:17.501Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:34:17.501Z"}, "affected": [{"vendor": "pixel_prime", "product": "Reales WP STPT", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.1.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Reales WP STPT plugin for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 2.1.2. This is due to the 'reales_user_signup_form' AJAX action not verifying if user registration is enabled, prior to registering a user. This makes it possible for unauthenticated attackers to create new user accounts, which can be leveraged with CVE-XX to achieve privilege escalation."}], "title": "Reales WP STPT <= 2.1.2 - Unauthorized User Registration", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f9f3250f-39a1-4ba1-b9a2-222926635ca0?source=cve"}, {"url": "https://themeforest.net/item/reales-wp-real-estate-wordpress-theme/10330568"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-863 Incorrect Authorization", "cweId": "CWE-863", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Friderika Baranyai"}], "timeline": [{"time": "2025-05-05T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-06T02:36:20.122494Z", "id": "CVE-2025-3609", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-06T02:36:28.381Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3609", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-06T02:36:20.122494Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-06T02:36:24.874Z"}}], "cna": {"title": "Reales WP STPT <= 2.1.2 - Unauthorized User Registration", "credits": [{"lang": "en", "type": "finder", "value": "Friderika Baranyai"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "pixel_prime", "product": "Reales WP STPT", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.1.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-05-05T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f9f3250f-39a1-4ba1-b9a2-222926635ca0?source=cve"}, {"url": "https://themeforest.net/item/reales-wp-real-estate-wordpress-theme/10330568"}], "descriptions": [{"lang": "en", "value": "The Reales WP STPT plugin for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 2.1.2. This is due to the 'reales_user_signup_form' AJAX action not verifying if user registration is enabled, prior to registering a user. This makes it possible for unauthenticated attackers to create new user accounts, which can be leveraged with CVE-XX to achieve privilege escalation."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-05-06T01:42:44.208Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3609", "state": "PUBLISHED", "dateUpdated": "2025-05-06T02:36:28.381Z", "dateReserved": "2025-04-14T20:16:57.211Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-05-06T01:42:44.208Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Reales WP STPT plugin for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 2.1.2. This is due to the 'reales_user_signup_form' AJAX action not verifying if user registration is enabled, prior to registering a user. This makes it possible for unauthenticated attackers to create new user accounts, which can be leveraged with CVE-XX to achieve privilege escalation."}, {"lang": "es", "value": "El complemento Reales WP STPT para WordPress es vulnerable al registro no autorizado de usuarios en todas las versiones hasta la 2.1.2 incluida. Esto se debe a que la acci\u00f3n AJAX \u00abreales_user_signup_form\u00bb no verifica si el registro de usuarios est\u00e1 habilitado antes de registrarlos. Esto permite que atacantes no autenticados creen nuevas cuentas de usuario, lo que puede aprovecharse con CVE-XX para lograr una escalada de privilegios."}], "id": "CVE-2025-3609", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-05-06T03:15:17.620", "references": [{"source": "security@wordfence.com", "url": "https://themeforest.net/item/reales-wp-real-estate-wordpress-theme/10330568"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f9f3250f-39a1-4ba1-b9a2-222926635ca0?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T22:57:18.706342+00:00", "value": {"mitigation_remediation": ["Update Reales WP STPT to a patched version that includes registration verification.", "Disable user registration on the WordPress site or via plugin settings until the update is applied.", "Audit the site\u2019s user accounts for unauthorized registrations and remove any that appear to be created by the flaw."], "summary": {"action": "Patch", "impact": "Unauthorized User Creation"}, "threat_synthesis": {"affected_systems": "Any WordPress site that has the Reales WP STPT plugin from pixel_prime, using version 2.1.2 or earlier.", "description_and_impact": "The Reales WP STPT plugin allows an unauthenticated attacker to create new user accounts because the 'reales_user_signup_form' AJAX action does not verify whether user registration is enabled. This omission means an attacker can add a user account through the site\u2019s web interface, potentially giving access to higher\u2011level functions. The flaw is an instance of improper authorization, classified as CWE\u2011863.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% reflects a low likelihood of exploitation. The vulnerability is exploitable remotely via the plugin\u2019s AJAX endpoint, requiring no prior authentication. The flaw is not listed in CISA\u2019s KEV catalog, so there is no public evidence of active attacks yet, but it could be leveraged together with other flaws to achieve privilege escalation."}}}}, "created": "2025-07-12T22:31:58.543228+00:00", "updated": "2026-04-20T23:00:14.175244+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}