CVE-2025-3610 is a high-severity vulnerability affecting the Reales WP STPT plugin for WordPress, developed by pixel_prime. The vulnerability arises from improper authorization checks when updating user details such as passwords and email addresses. Specifically, the plugin fails to properly validate the identity of the user requesting these changes, allowing authenticated users with subscriber-level privileges or higher to escalate their privileges by changing arbitrary users' credentials, including those of administrators. This effectively enables an attacker with minimal access to take over any account on the affected WordPress site. Furthermore, this vulnerability can be chained with CVE-2025-3609 to achieve remote code execution (RCE) starting from an unauthenticated state, significantly increasing the threat level. The CVSS v3.1 base score is 8.8, reflecting the critical impact on confidentiality, integrity, and availability, combined with low attack complexity and no user interaction required. The vulnerability affects all versions up to and including 2.1.2 of the plugin. No official patches have been released at the time of this report, and no known exploits are currently observed in the wild. The underlying weakness is categorized under CWE-639 (Authorization Bypass Through User-Controlled Key), indicating a failure in enforcing proper authorization controls based on user identity verification.

For European organizations, this vulnerability poses a significant risk, especially for those relying on WordPress sites with the Reales WP STPT plugin installed. Successful exploitation can lead to full account takeover of administrative users, resulting in complete site compromise. This includes unauthorized content modification, data theft, defacement, or deployment of malicious code. The potential to chain this vulnerability with another (CVE-2025-3609) to achieve remote code execution further elevates the risk, enabling attackers to execute arbitrary commands on the server, potentially leading to lateral movement within the network, data exfiltration, or ransomware deployment. Organizations in sectors such as government, finance, healthcare, and e-commerce, which often use WordPress for public-facing websites, are particularly vulnerable. The compromise of administrative accounts can also undermine trust and violate data protection regulations like GDPR, leading to legal and reputational consequences.

Given the absence of official patches, European organizations should immediately audit their WordPress installations for the presence of the Reales WP STPT plugin and its version. If the plugin is installed and unpatched, organizations should consider the following specific mitigations: 1) Temporarily disable or uninstall the plugin until a security update is available. 2) Restrict subscriber-level user creation and closely monitor user account activities, especially password and email changes. 3) Implement multi-factor authentication (MFA) for all administrative accounts to reduce the risk of account takeover. 4) Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests attempting to exploit this vulnerability. 5) Conduct thorough logging and monitoring of user management actions to detect anomalous behavior. 6) Prepare incident response plans to quickly react to potential compromises. Once a patch is released, prioritize prompt application of updates and verify the integrity of user accounts and site content.