CVE-2025-6190 is a high-severity privilege escalation vulnerability found in the Realty Portal – Agent plugin for WordPress, developed by nootheme. The vulnerability exists in versions 0.1.0 through 0.3.9 of the plugin. Specifically, the issue arises from the rp_user_profile() AJAX handler, which processes user profile updates. This handler accepts meta key and value pairs from client-supplied POST data and passes them directly to the WordPress function update_user_meta() without validating or restricting the keys to a safe whitelist. Because of this missing authorization check (CWE-862), authenticated users with Subscriber-level access or higher can exploit this flaw to overwrite the wp_capabilities user meta field. The wp_capabilities meta controls user roles and permissions in WordPress, so by overwriting it, an attacker can escalate their privileges and assign themselves the administrator role. This effectively grants full control over the WordPress site, allowing the attacker to modify content, install malicious plugins, exfiltrate data, or disrupt site operations. The vulnerability has a CVSS 3.1 base score of 8.8, indicating high severity, with attack vector being network-based, low attack complexity, requiring privileges at the level of a subscriber or higher, no user interaction, and impacting confidentiality, integrity, and availability. No public exploits are currently known in the wild, and no patches have been linked yet. However, the vulnerability is straightforward to exploit for any authenticated user with minimal privileges, making it a critical risk for affected sites. The root cause is the lack of proper authorization and input validation in the AJAX handler, allowing unauthorized modification of sensitive user metadata.

For European organizations using WordPress sites with the Realty Portal – Agent plugin, this vulnerability poses a significant risk. An attacker with a low-level authenticated account (Subscriber or above) can escalate privileges to administrator, gaining full control over the website. This can lead to unauthorized access to sensitive customer data, defacement of websites, insertion of malicious code (e.g., backdoors, ransomware), and disruption of business operations. Real estate agencies and property management firms relying on this plugin for client interactions and data management are particularly at risk. Compromise could result in data breaches violating GDPR regulations, leading to legal penalties and reputational damage. Additionally, attackers could leverage the compromised WordPress admin to pivot into internal networks if the site is integrated with other corporate systems. The ease of exploitation and high impact on confidentiality, integrity, and availability make this vulnerability a critical concern for European organizations maintaining online real estate portals or similar services.

Immediate mitigation steps include: 1) Restrict access to the affected AJAX handler by implementing strict authorization checks ensuring only properly privileged users can update user meta fields. 2) Implement a whitelist of allowed meta keys that can be updated via the AJAX handler, explicitly excluding sensitive keys such as wp_capabilities. 3) Monitor user role changes and audit logs for suspicious privilege escalations. 4) Temporarily disable or remove the Realty Portal – Agent plugin if an update or patch is not yet available. 5) Harden WordPress installations by enforcing strong authentication, limiting user roles, and applying the principle of least privilege. 6) Keep WordPress core and all plugins updated to the latest versions once a patch is released. 7) Conduct regular security assessments and penetration tests focusing on privilege escalation vectors. 8) Educate users about the risks of granting unnecessary privileges and monitor for anomalous user behavior. These targeted mitigations go beyond generic advice by focusing on the specific flaw in the AJAX handler and the wp_capabilities meta key manipulation.