{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-6758", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-27T00:08:16.995Z", "datePublished": "2025-08-19T06:45:27.412Z", "dateUpdated": "2026-04-08T17:29:16.610Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:29:16.610Z"}, "affected": [{"vendor": "imithemes", "product": "Real Spaces - WordPress Properties Directory Theme", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Real Spaces - WordPress Properties Directory Theme theme for WordPress is vulnerable to privilege escalation via the 'imic_agent_register' function in all versions up to, and including, 3.6. This is due to a lack of restriction in the registration role. This makes it possible for unauthenticated attackers to arbitrarily choose their role, including the Administrator role, during user registration."}], "title": "Real Spaces - WordPress Properties Directory Theme <= 3.6 - Unauthenticated Privilege Escalation to Administrator via 'imic_agent_register'", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e2b24858-dfcd-46f3-9552-c7acc63a1ee7?source=cve"}, {"url": "https://themeforest.net/item/real-spaces-wordpress-real-estate-theme/8219779"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-269 Improper Privilege Management", "cweId": "CWE-269", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "Alyudin Nafiie"}], "timeline": [{"time": "2025-07-30T19:22:57.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-08-18T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-19T13:20:27.640294Z", "id": "CVE-2025-6758", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-19T13:20:55.129Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-6758", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-08-19T13:20:27.640294Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-19T13:20:47.509Z"}}], "cna": {"title": "Real Spaces - WordPress Properties Directory Theme <= 3.6 - Unauthenticated Privilege Escalation to Administrator via 'imic_agent_register'", "credits": [{"lang": "en", "type": "finder", "value": "Alyudin Nafiie"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "imithemes", "product": "Real Spaces - WordPress Properties Directory Theme", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-30T19:22:57.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-08-18T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e2b24858-dfcd-46f3-9552-c7acc63a1ee7?source=cve"}, {"url": "https://themeforest.net/item/real-spaces-wordpress-real-estate-theme/8219779"}], "descriptions": [{"lang": "en", "value": "The Real Spaces - WordPress Properties Directory Theme theme for WordPress is vulnerable to privilege escalation via the 'imic_agent_register' function in all versions up to, and including, 3.6. This is due to a lack of restriction in the registration role. This makes it possible for unauthenticated attackers to arbitrarily choose their role, including the Administrator role, during user registration."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:29:16.610Z"}}}, "cveMetadata": {"cveId": "CVE-2025-6758", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:29:16.610Z", "dateReserved": "2025-06-27T00:08:16.995Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-19T06:45:27.412Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Real Spaces - WordPress Properties Directory Theme theme for WordPress is vulnerable to privilege escalation via the 'imic_agent_register' function in all versions up to, and including, 3.6. This is due to a lack of restriction in the registration role. This makes it possible for unauthenticated attackers to arbitrarily choose their role, including the Administrator role, during user registration."}, {"lang": "es", "value": "El tema Real Spaces - WordPress Properties Directory Theme para WordPress es vulnerable a la escalada de privilegios mediante la funci\u00f3n 'imic_agent_register' en todas las versiones hasta la 3.6 incluida. Esto se debe a la falta de restricciones en el rol de registro. Esto permite que atacantes no autenticados elijan arbitrariamente su rol, incluido el de Administrador, durante el registro de usuarios."}], "id": "CVE-2025-6758", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-08-19T07:15:30.697", "references": [{"source": "security@wordfence.com", "url": "https://themeforest.net/item/real-spaces-wordpress-real-estate-theme/8219779"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e2b24858-dfcd-46f3-9552-c7acc63a1ee7?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T19:53:03.431797+00:00", "value": {"mitigation_remediation": ["Update Real Spaces to a version newer than 3.6 where role restrictions are enforced.", "If an update is unavailable, remove or disable the role selection parameter from the registration form so that only a safe default role can be assigned.", "Revoke administrative privileges from existing admin accounts or lock all accounts until the theme update is applied."], "summary": {"action": "Patch Immediately", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "All released versions of Real Spaces \u2013 WordPress Properties Directory Theme by imithemes up to and including 3.6 are vulnerable. WordPress sites that have installed this theme and expose the registration feature are at risk.", "description_and_impact": "The theme contains a functionality called 'imic_agent_register' that allows user registration. The function fails to enforce role validation, permitting any role value to be accepted. An attacker can set the role to Administrator, yielding full administrative control over the WordPress site, including configuration changes, content creation, plugin installation, and access to all sensitive data. This weakness is an example of Improper Privilege Escalation (CWE-269).", "risk_and_exploitability": "With a CVSS score of 9.8, the vulnerability is classified as very high severity. The EPSS score of less than 1% indicates that exploit attempts are currently rare and the theme is not listed in CISA KEV. The attack vector is unauthenticated remote; a malicious actor merely needs to submit a crafted request to the registration endpoint, specifying the Administrator role, to gain administrative privileges. No credentials or additional privileges are required, making the exploitation path highly accessible to threat actors."}}}}, "created": "2026-04-20T20:00:10.519829+00:00", "updated": "2026-04-20T20:00:10.519840+00:00", "vendors": []}