CVE-2025-5117 is a critical privilege escalation vulnerability identified in the Property – Real Estate Directory Listing plugin for WordPress, developed by themeglow. The flaw exists in versions 1.0.5 and 1.0.6 due to a missing authorization check (CWE-862) on the property_package_user_role metadata field. Specifically, authenticated users with Author-level permissions or higher can create a package post and manipulate the property_package_user_role metadata to assign themselves the administrator role. The exploit involves submitting this manipulated data through the PayPal registration form, which lacks proper capability verification, thereby allowing privilege escalation without additional user interaction. The vulnerability has a CVSS 3.1 base score of 8.8, reflecting its high impact on confidentiality, integrity, and availability, with network attack vector, low attack complexity, and no user interaction required. Although no known exploits have been reported in the wild yet, the vulnerability presents a significant risk to WordPress sites using the affected plugin version, potentially allowing attackers to fully compromise site administration and control. The vulnerability was publicly disclosed on May 27, 2025, and no official patches have been linked yet, emphasizing the need for immediate mitigation.

The vulnerability allows attackers with relatively low privileges (Author-level or above) to escalate their access to full administrator rights. This can lead to complete site takeover, including the ability to modify or delete content, install malicious plugins or themes, steal sensitive user data, and disrupt site availability. For organizations, this can result in data breaches, defacement, loss of customer trust, and potential regulatory penalties. Since WordPress powers a significant portion of websites globally, and this plugin is used in real estate directory listings, the impact extends to businesses relying on these platforms for property listings and transactions. The ease of exploitation (no user interaction needed beyond authentication) and the high privileges gained make this vulnerability particularly dangerous. Attackers could leverage this flaw to implant persistent backdoors or pivot to other internal systems if the WordPress site is part of a larger network.

1. Immediately restrict Author-level and higher user permissions to trusted users only until a patch is available. 2. Monitor and audit user roles and package posts for suspicious changes, especially those assigning administrator roles via property_package_user_role metadata. 3. Implement Web Application Firewall (WAF) rules to detect and block attempts to manipulate the property_package_user_role field or unusual PayPal registration form submissions. 4. Disable or remove the Property – Real Estate Directory Listing plugin if not essential, or downgrade user roles to below Author if possible. 5. Follow themeglow’s official channels for patch releases and apply updates promptly once available. 6. Conduct regular security reviews and penetration tests focusing on privilege escalation vectors in WordPress plugins. 7. Employ multi-factor authentication for all administrative accounts to reduce risk if privilege escalation occurs. 8. Backup site data regularly to enable recovery in case of compromise.