CVE-2025-3610 is an authorization bypass vulnerability classified under CWE-639, affecting the Reales WP STPT plugin for WordPress. The core issue arises from the plugin's failure to properly validate a user's identity before allowing updates to sensitive account details such as passwords and email addresses. This flaw permits authenticated attackers with minimal privileges (subscriber-level or higher) to escalate their privileges by changing credentials of arbitrary users, including administrators. The vulnerability can be exploited without user interaction and requires only low privileges, making it highly accessible to attackers with any authenticated access. Furthermore, when combined with CVE-2025-3609, which presumably allows unauthenticated access, attackers can achieve remote code execution on the affected WordPress sites. The vulnerability affects all versions up to 2.1.2, and no official patches have been released at the time of publication. The CVSS 3.1 base score is 8.8, indicating a high severity with network attack vector, low attack complexity, and no user interaction required. The vulnerability impacts confidentiality, integrity, and availability, as attackers can fully compromise accounts and potentially the entire WordPress installation.

The impact of CVE-2025-3610 is significant for organizations using the Reales WP STPT plugin. Attackers can escalate privileges from low-level subscriber accounts to administrator accounts by changing passwords and email addresses, effectively taking over high-privilege accounts. This compromises the confidentiality of sensitive data, the integrity of website content and user accounts, and the availability of the WordPress site if attackers deploy malicious code or lock out legitimate administrators. When combined with CVE-2025-3609, attackers can achieve remote code execution, allowing full system compromise, data theft, defacement, or use of the server for further attacks. This threat is particularly critical for organizations relying on WordPress for public-facing websites, e-commerce, or internal portals, as it can lead to severe reputational damage, financial loss, and regulatory penalties.

To mitigate CVE-2025-3610, organizations should immediately restrict subscriber-level and other low-privilege user access to trusted individuals only and monitor account changes closely. Disable or uninstall the Reales WP STPT plugin if possible until a patch is released. Implement strict access controls and multi-factor authentication for administrator accounts to reduce the risk of takeover. Regularly audit user accounts for unauthorized changes to passwords and email addresses. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting user update functions. Keep WordPress core and all plugins updated, and subscribe to vendor advisories for patch releases. Additionally, segregate administrative functions and consider limiting plugin usage to environments where exposure is minimized. Incident response plans should be prepared to quickly respond to any signs of compromise related to this vulnerability.