What the vulnerability does
01Description
The "RH - Real Estate WordPress Theme" theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 4.4.0. This is due to the theme not properly restricting user roles that can be updated as part of the inspiry_update_profile() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to set their role to that of an administrator. The vulnerability was partially patched in version 4.4.0, and fully patched in version 4.4.1.
Explanation of Vulnerability in Simple Terms
02Summary
The RH Real Estate WordPress theme versions up to 4.4.0 contain a privilege management flaw that allows authenticated users with low-level access to perform actions reserved for administrators. An attacker with a standard user account can read sensitive data, modify site content, and disrupt site availability. Update to a version newer than 4.4.0 to resolve this issue.
What an attacker can do
03Attacker Capabilities
Read sensitive data, modify site content, and disrupt site availability with a low-privilege user account.
Potential impact on your site
04Site Impact
Compromised user accounts can escalate their permissions to perform admin-level actions without authorization.
Conditions required to exploit
05Prerequisites
Attacker must have a valid WordPress user account with low-level privileges (e.g., subscriber or contributor role).
Key dates
06Disclosure timeline
June 10, 2025
CVE published
April 8, 2026
Record updated