The vulnerability identified as CVE-2025-11985 affects the Realty Portal plugin developed by nootheme for WordPress, specifically versions 0.1 through 0.4.1. The root cause is a missing authorization check (CWE-862) in the function 'rp_save_property_settings', which is responsible for saving property-related settings within the plugin. This flaw allows any authenticated user with at least Subscriber-level privileges to invoke this function and modify arbitrary WordPress options without proper capability verification. By exploiting this, an attacker can alter critical site configurations, such as changing the default role assigned to new users to 'administrator' and enabling user registration if it was previously disabled. Consequently, the attacker can create new accounts with administrative privileges or escalate their own privileges, gaining full control over the WordPress installation. The vulnerability is remotely exploitable over the network (AV:N), requires low attack complexity (AC:L), and only requires low privileges (PR:L) without any user interaction (UI:N). The scope remains unchanged (S:U), but the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). Despite no known exploits in the wild at the time of publication, the vulnerability poses a significant risk due to the widespread use of WordPress and the plugin’s functionality in real estate websites. The lack of a patch link indicates that a fix may not yet be publicly available, underscoring the urgency for mitigation.

If exploited, this vulnerability allows attackers to gain administrative access to WordPress sites running the affected Realty Portal plugin versions. This can lead to complete site takeover, including the ability to install malicious plugins or themes, steal sensitive data, deface websites, or use the compromised site as a launchpad for further attacks. The integrity of site content and configurations can be compromised, and availability may be disrupted through destructive actions or backdoors. Organizations relying on this plugin for real estate listings or property management face reputational damage, data breaches, and potential regulatory consequences. The ease of exploitation by low-privileged users increases the likelihood of attacks, especially on sites with multiple user accounts or where user registration is enabled. The vulnerability’s impact extends to any WordPress site using the affected plugin versions, regardless of size or sector, making it a broad threat to the WordPress ecosystem.

Immediate mitigation steps include disabling the Realty Portal plugin until a patch is available. Administrators should audit user roles and permissions to ensure no unauthorized changes have occurred, especially verifying the default user role and registration settings. Restrict user registration if not required and monitor logs for suspicious activity related to option changes. Employ a Web Application Firewall (WAF) with rules targeting unauthorized option modifications in WordPress. Regularly back up site data and configurations to enable recovery if compromise occurs. If possible, implement least privilege principles by limiting Subscriber-level accounts and reviewing plugin usage. Stay alert for official patches or updates from nootheme and apply them promptly once released. Additionally, consider deploying security plugins that can detect unauthorized changes to WordPress options or user roles.