CVE-2025-3610: CWE-639 Authorization Bypass Through User-Controlled Key in pixel_prime Reales WP STPT
The Reales WP STPT plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.1.2. This is due to the plugin not properly validating a user's identity prior to updating their details like password. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's passwords and email addresses, including administrators, and leverage that to gain access to their account. This can be combined with CVE-2025-3609 to achieve remote code execution as an originally unauthenticated user with no account.
AI Analysis
Technical Summary
CVE-2025-3610 affects the pixel_prime Reales WP STPT WordPress plugin, allowing privilege escalation via improper authorization checks. The plugin fails to validate user identity before allowing updates to sensitive account details such as passwords and email addresses. Authenticated attackers with subscriber-level permissions or higher can exploit this to take over other users' accounts, including administrators. This vulnerability is classified under CWE-639. The CVSS 3.1 base score is 8.8, reflecting network attack vector, low attack complexity, required privileges at the low level, no user interaction, and high impact on confidentiality, integrity, and availability. There is no vendor advisory or patch information available at this time. The vulnerability can be chained with CVE-2025-3609 for remote code execution by unauthenticated users.
Potential Impact
Successful exploitation allows attackers with minimal privileges to change passwords and email addresses of arbitrary users, including administrators, resulting in full account takeover. This compromises confidentiality, integrity, and availability of the affected WordPress site. The vulnerability can be leveraged to escalate privileges and potentially execute remote code when combined with another vulnerability (CVE-2025-3609). No known exploits in the wild have been reported yet.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict plugin usage to trusted users only and consider disabling or removing the Reales WP STPT plugin if possible. Monitor for updates from the vendor or security advisories for a patch or official mitigation steps.
CVE-2025-3610: CWE-639 Authorization Bypass Through User-Controlled Key in pixel_prime Reales WP STPT
Description
The Reales WP STPT plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.1.2. This is due to the plugin not properly validating a user's identity prior to updating their details like password. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's passwords and email addresses, including administrators, and leverage that to gain access to their account. This can be combined with CVE-2025-3609 to achieve remote code execution as an originally unauthenticated user with no account.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-3610 affects the pixel_prime Reales WP STPT WordPress plugin, allowing privilege escalation via improper authorization checks. The plugin fails to validate user identity before allowing updates to sensitive account details such as passwords and email addresses. Authenticated attackers with subscriber-level permissions or higher can exploit this to take over other users' accounts, including administrators. This vulnerability is classified under CWE-639. The CVSS 3.1 base score is 8.8, reflecting network attack vector, low attack complexity, required privileges at the low level, no user interaction, and high impact on confidentiality, integrity, and availability. There is no vendor advisory or patch information available at this time. The vulnerability can be chained with CVE-2025-3609 for remote code execution by unauthenticated users.
Potential Impact
Successful exploitation allows attackers with minimal privileges to change passwords and email addresses of arbitrary users, including administrators, resulting in full account takeover. This compromises confidentiality, integrity, and availability of the affected WordPress site. The vulnerability can be leveraged to escalate privileges and potentially execute remote code when combined with another vulnerability (CVE-2025-3609). No known exploits in the wild have been reported yet.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict plugin usage to trusted users only and consider disabling or removing the Reales WP STPT plugin if possible. Monitor for updates from the vendor or security advisories for a patch or official mitigation steps.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-04-14T20:19:19.334Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d981cc4522896dcbdac84
Added to database: 5/21/2025, 9:08:44 AM
Last enriched: 4/9/2026, 5:23:22 PM
Last updated: 5/8/2026, 3:12:13 PM
Views: 84
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.