The vulnerability identified as CVE-2025-11985 affects the Realty Portal plugin for WordPress, specifically versions 0.1 through 0.4.1. The root cause is a missing authorization check (CWE-862) in the 'rp_save_property_settings' function, which fails to verify if the authenticated user has sufficient privileges before allowing modifications to critical site options. This flaw permits any authenticated user with at least Subscriber-level access to update arbitrary WordPress options, including changing the default role assigned to new users to 'administrator' and enabling user registration. By doing so, an attacker can create new administrative accounts without needing higher privileges initially, effectively escalating their privileges to full site administrator. The vulnerability is remotely exploitable over the network without requiring user interaction beyond initial authentication. The CVSS v3.1 score of 8.8 reflects the high impact on confidentiality, integrity, and availability, combined with low attack complexity and privileges required. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability poses a significant risk to WordPress sites using the Realty Portal plugin, especially those that allow user registration or have multiple authenticated users with low privileges.

For European organizations, this vulnerability could lead to complete site compromise, resulting in unauthorized data modification, data leakage, and potential defacement or service disruption. Real estate companies, property management firms, and agencies using the Realty Portal plugin on WordPress are at risk of attackers gaining administrative control, which could be leveraged to steal sensitive client information, manipulate listings, or deploy further malware. The ability to escalate privileges from a low-level user to administrator undermines the integrity of the entire WordPress installation and any connected systems. Given the widespread use of WordPress across Europe and the growing digitalization of real estate services, the impact could be significant, affecting business continuity, regulatory compliance (e.g., GDPR), and customer trust. Additionally, compromised sites could be used as launchpads for further attacks within corporate networks or against customers.

Immediate mitigation steps include restricting user roles to trusted individuals only and disabling user registration until a patch is available. Administrators should audit existing user roles and permissions to ensure no unauthorized accounts have been created. Implementing a Web Application Firewall (WAF) with rules to detect and block unauthorized attempts to invoke 'rp_save_property_settings' or modify critical options can reduce risk. Monitoring logs for unusual changes to site options or new administrator accounts is essential. Organizations should also consider isolating WordPress instances and limiting plugin usage to trusted and actively maintained plugins. Since no official patch is currently available, contacting the plugin vendor for updates or applying custom authorization checks in the plugin code can serve as temporary fixes. Regular backups and incident response plans should be in place to recover quickly if exploitation occurs.