What the vulnerability does
01Description
The Real Spaces - WordPress Properties Directory Theme theme for WordPress is vulnerable to privilege escalation via the 'imic_agent_register' function in all versions up to, and including, 3.6. This is due to a lack of restriction in the registration role. This makes it possible for unauthenticated attackers to arbitrarily choose their role, including the Administrator role, during user registration.
Explanation of Vulnerability in Simple Terms
02Summary
The Real Spaces WordPress theme versions 3.6 and earlier contain a privilege management flaw that allows unauthenticated attackers to gain full control of the site. No special conditions or user interaction are required—an attacker on the network can exploit this remotely to read, modify, or delete all site data and functionality.
What an attacker can do
03Attacker Capabilities
Run arbitrary code on the site, read all data, modify or delete content, and take full control without needing a password.
Potential impact on your site
04Site Impact
Complete compromise of the WordPress site, including all user accounts, content, and configuration.
Conditions required to exploit
05Prerequisites
None. The attacker needs only network access; no authentication or user interaction required.
Key dates
06Disclosure timeline
August 19, 2025
CVE published
April 8, 2026
Record updated