CVE-2025-5117 is a high-severity privilege escalation vulnerability affecting the Property – Real Estate Directory Listing plugin for WordPress, developed by themeglow. Specifically, versions 1.0.5 of this plugin contain a missing authorization check (CWE-862) related to the property_package_user_role metadata. The vulnerability allows an authenticated attacker with Author-level access or higher to escalate their privileges to administrator. This is achieved by creating a package post with the property_package_user_role set to 'administrator' and then submitting the PayPal registration form. The lack of proper capability checks means that the plugin does not verify whether the user is authorized to assign administrator roles, enabling privilege escalation without requiring user interaction beyond form submission. The CVSS v3.1 score of 8.8 reflects the critical nature of this vulnerability, with network attack vector, low attack complexity, and no user interaction needed. The impact includes full compromise of the WordPress site, allowing attackers to execute arbitrary code, modify content, and potentially pivot to other systems. No known exploits are currently reported in the wild, but the vulnerability is publicly disclosed and poses a significant risk to affected installations. No official patches are listed yet, so mitigation relies on other controls until updates are available.

For European organizations using WordPress sites with the Property – Real Estate Directory Listing plugin version 1.0.5, this vulnerability poses a severe risk. Real estate companies, agencies, and property listing platforms relying on this plugin could face full site compromise, leading to data breaches involving sensitive customer information, financial data, and business-critical content. Attackers gaining administrator privileges can deface websites, inject malicious code, or use the compromised site as a foothold for further attacks within the organization's network. This could result in reputational damage, regulatory non-compliance (e.g., GDPR violations due to data exposure), financial losses, and operational disruption. Given the plugin’s niche market, the impact is concentrated but critical for affected entities. The lack of user interaction and low complexity of exploitation increase the likelihood of automated attacks targeting vulnerable sites across Europe.

1. Immediate mitigation involves restricting Author-level and higher user roles to trusted personnel only, minimizing the risk of insider threats or compromised accounts. 2. Monitor WordPress user roles and audit recent changes to detect unauthorized privilege escalations. 3. Disable or remove the Property – Real Estate Directory Listing plugin version 1.0.5 until a patched version is released. 4. Implement Web Application Firewall (WAF) rules to detect and block suspicious POST requests related to package post creation and PayPal form submissions that attempt to set property_package_user_role to 'administrator'. 5. Enforce strong authentication mechanisms, including multi-factor authentication (MFA) for all users with elevated privileges. 6. Regularly review and update WordPress core, plugins, and themes to the latest secure versions once patches become available. 7. Conduct security awareness training for site administrators to recognize and respond to privilege escalation attempts.