CVE-2025-11985 is a vulnerability identified in the nootheme Realty Portal plugin for WordPress, specifically affecting versions 0.1 through 0.4.1. The root cause is a missing authorization check (CWE-862) in the 'rp_save_property_settings' function, which is responsible for saving property-related settings within the plugin. This flaw allows any authenticated user with at least Subscriber-level privileges to invoke this function and modify arbitrary WordPress options. Notably, attackers can change the default user role assigned during registration to 'administrator' and enable user registration if it was previously disabled. By doing so, an attacker can create new administrative users or escalate their privileges from a low-level account to full admin rights. This vulnerability does not require user interaction and can be exploited remotely over the network (AV:N), with low attack complexity (AC:L). The impact is severe, affecting confidentiality, integrity, and availability (C:H/I:H/A:H), as attackers gain full control over the WordPress site, potentially leading to data theft, site defacement, or complete takeover. No public exploits have been reported yet, but the vulnerability's nature makes it a prime target for attackers. The plugin is commonly used in real estate portals built on WordPress, making websites in this niche particularly vulnerable. The vulnerability was published on November 21, 2025, with a CVSS v3.1 score of 8.8, classified as high severity.

For European organizations, this vulnerability poses a significant risk, especially those operating real estate or property management websites using WordPress with the nootheme Realty Portal plugin. Successful exploitation can lead to unauthorized administrative access, enabling attackers to manipulate site content, steal sensitive customer data, deploy malware, or disrupt services. This can result in reputational damage, regulatory penalties under GDPR due to data breaches, and financial losses. The ability to escalate privileges from a low-level user account lowers the barrier for exploitation, increasing the threat surface. Given the widespread use of WordPress across Europe and the importance of real estate sectors in countries like Germany, France, the UK, and the Netherlands, the potential impact is substantial. Additionally, attackers could leverage compromised sites as footholds for lateral movement within organizational networks or for launching further attacks, amplifying the threat.

1. Immediately update the Realty Portal plugin to a patched version once available from the vendor or remove the plugin if no update exists. 2. Restrict user roles and permissions rigorously; avoid granting Subscriber or higher privileges to untrusted users. 3. Disable user registration if not required or enforce strict moderation and verification for new accounts. 4. Implement Web Application Firewalls (WAF) with custom rules to detect and block unauthorized calls to 'rp_save_property_settings' or suspicious option changes. 5. Monitor WordPress option changes and user role assignments through logging and alerting mechanisms to detect anomalous behavior early. 6. Conduct regular security audits and penetration testing focusing on plugin vulnerabilities. 7. Educate site administrators about the risks of installing unverified plugins and the importance of timely patching. 8. Employ multi-factor authentication for administrative accounts to reduce the risk of account compromise post-exploitation.