CVE-2025-4601

The "RH - Real Estate WordPress Theme" theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 4.4.0. This is due to the theme not properly restricting user roles that can be updated as part of the inspiry_update_profile() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to set their role to that of an administrator. The vulnerability was partially patched in version 4.4.0, and fully patched in version 4.4.1.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://themeforest.net/item/real-homes-wordpress-real-estate-theme/5373914
https://www.wordfence.com/threat-intel/vulnerabilities/id/a816e5a8-2494-4bcf-869d-5214b21f7791?source=cve

Configurations

No configuration.

History

12 Jun 2025, 16:06

Type	Values Removed	Values Added
Summary		(es) El tema "RH - Tema WordPress para Bienes Raíces" para WordPress es vulnerable a la escalada de privilegios en todas las versiones hasta la 4.4.0 incluida. Esto se debe a que el tema no restringe correctamente los roles de usuario que se pueden actualizar mediante la función inspiry_update_profile(). Esto permite que atacantes autenticados, con acceso de suscriptor o superior, configuren su rol como administrador. La vulnerabilidad se corrigió parcialmente en la versión 4.4.0 y completamente en la 4.4.1.

10 Jun 2025, 04:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-10 04:15

Updated : 2025-06-12 16:06

NVD link : CVE-2025-4601

Mitre link : CVE-2025-4601

CVE.ORG link : CVE-2025-4601

JSON object : View

Products Affected

No product.

CWE

CWE-269

Improper Privilege Management

8.8 /10