CVE-2025-6190 HIGH

CVE-2025-6190: Realty Portal – Agent <= 0.3.9 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation via rp_user_profile() Function

Vendor Nootheme
Product Realty Portal – Agent
Weakness CWE-862 · Missing authorization
Published July 23, 2025
Last update April 8, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Realty Portal – Agent plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within the rp_user_profile() AJAX handler in versions 0.1.0 through 0.3.9. The handler reads the client-supplied meta key and value pairs from $_POST and passes them directly to update_user_meta() without restricting to a safe whitelist. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the wp_capabilities meta and grant themselves the administrator role.

Explanation of Vulnerability in Simple Terms

02Summary

Realty Portal – Agent versions 0.3.9 and earlier lack proper authorization checks, allowing authenticated users to read, modify, or delete data they should not have access to. An attacker with a low-privilege account can escalate their capabilities to perform actions reserved for administrators or other users. No user interaction is required beyond initial login.

What an attacker can do

03Attacker Capabilities

Read, modify, or delete data belonging to other users or the site without proper permission.

Potential impact on your site

04Site Impact

Any registered user can access or alter sensitive agent, property, or customer information depending on the plugin's data model.

Conditions required to exploit

05Prerequisites

Attacker must have a valid low-privilege user account on the site.

Key dates

06Disclosure timeline

July 23, 2025 CVE published
April 8, 2026 Record updated