{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-6190", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-16T21:52:52.243Z", "datePublished": "2025-07-23T02:24:38.989Z", "dateUpdated": "2026-04-08T17:16:43.116Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:16:43.116Z"}, "affected": [{"vendor": "nootheme", "product": "Realty Portal \u2013 Agent", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.3.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Realty Portal \u2013 Agent plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within the rp_user_profile() AJAX handler in versions 0.1.0 through 0.3.9. The handler reads the client-supplied meta key and value pairs from $_POST and passes them directly to update_user_meta() without restricting to a safe whitelist. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the wp_capabilities meta and grant themselves the administrator role."}], "title": "Realty Portal \u2013 Agent <= 0.3.9 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation via rp_user_profile() Function", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b3adfe9e-ebdf-4a50-b60f-03a606a84ec0?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/realty-portal-agent/trunk/includes/class-agent-process.php#L494"}, {"url": "https://wordpress.org/plugins/realty-portal-agent/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Youcef Hamdani"}], "timeline": [{"time": "2025-07-22T14:03:27.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-23T18:28:46.571643Z", "id": "CVE-2025-6190", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-23T18:28:55.839Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-6190", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-07-23T18:28:46.571643Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-23T18:28:52.660Z"}}], "cna": {"title": "Realty Portal \u2013 Agent <= 0.3.9 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation via rp_user_profile() Function", "credits": [{"lang": "en", "type": "finder", "value": "Youcef Hamdani"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "nootheme", "product": "Realty Portal \u2013 Agent", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.3.9"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-22T14:03:27.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b3adfe9e-ebdf-4a50-b60f-03a606a84ec0?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/realty-portal-agent/trunk/includes/class-agent-process.php#L494"}, {"url": "https://wordpress.org/plugins/realty-portal-agent/"}], "descriptions": [{"lang": "en", "value": "The Realty Portal \u2013 Agent plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within the rp_user_profile() AJAX handler in versions 0.1.0 through 0.3.9. The handler reads the client-supplied meta key and value pairs from $_POST and passes them directly to update_user_meta() without restricting to a safe whitelist. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the wp_capabilities meta and grant themselves the administrator role."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:16:43.116Z"}}}, "cveMetadata": {"cveId": "CVE-2025-6190", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:16:43.116Z", "dateReserved": "2025-06-16T21:52:52.243Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-23T02:24:38.989Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Realty Portal \u2013 Agent plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within the rp_user_profile() AJAX handler in versions 0.1.0 through 0.3.9. The handler reads the client-supplied meta key and value pairs from $_POST and passes them directly to update_user_meta() without restricting to a safe whitelist. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the wp_capabilities meta and grant themselves the administrator role."}, {"lang": "es", "value": "El complemento Realty Portal \u2013 Agent para WordPress es vulnerable a la escalada de privilegios debido a la falta de autorizaci\u00f3n en el controlador AJAX rp_user_profile() en las versiones 0.1.0 a 0.3.9. Este controlador lee los pares de metaclave y valor proporcionados por el cliente desde $_POST y los pasa directamente a update_user_meta() sin restringirlos a una lista blanca segura. Esto permite a atacantes autenticados, con acceso de suscriptor o superior, sobrescribir el metadato wp_capabilities y otorgarse el rol de administrador."}], "id": "CVE-2025-6190", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-07-23T03:15:24.963", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/realty-portal-agent/trunk/includes/class-agent-process.php#L494"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/realty-portal-agent/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b3adfe9e-ebdf-4a50-b60f-03a606a84ec0?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T22:09:18.758857+00:00", "value": {"mitigation_remediation": ["Upgrade the Realty Portal \u2013 Agent plugin to a version that removes the missing authorization check, such as the latest release available from the vendor.", "Add a firewall or role\u2011based rule to block authenticated users from accessing the rp_user_profile() AJAX endpoint, ensuring that only administrators can invoke it.", "If an update cannot be applied immediately, manually modify the plugin\u2019s rp_user_profile() function to validate or hard\u2011code allowed meta keys, or disable the endpoint altogether."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "This issue affects the Realty Portal \u2013 Agent plugin, published by Nootheme, in WordPress installations that use plugin versions 0.1.0 to 0.3.9. Users of later releases are not impacted unless the vulnerability has been reintroduced.", "description_and_impact": "The Realty Portal \u2013 Agent plugin for WordPress contains a missing authorization check in the rp_user_profile() AJAX handler for versions 0.1.0 through 0.3.9. The handler accepts client\u2011supplied meta key/value pairs from $_POST and passes them directly to update_user_meta() without restricting to a safe whitelist. This allows any authenticated user with Subscriber-level access or higher to overwrite the wp_capabilities meta field and grant themselves the administrator role, effectively taking full control of the site.", "risk_and_exploitability": "The flaw carries a CVSS score of 8.8, indicating a high\u2011severity issue. The EPSS score is less than 1%, suggesting a low probability of exploitation in the wild, and it is not listed in the CISA KEV catalog. The attack requires the attacker to be authenticated but only at the Subscriber level, which many websites grant to regular users. Once authenticated, the attacker can trigger the AJAX request to elevate privileges to administrator, leading to full control over the site, potential data exfiltration, and modification of site settings."}}}}, "created": "2025-07-23T17:35:57.398940+00:00", "updated": "2026-04-20T22:15:06.195245+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}