The vulnerability identified as CVE-2025-6190 affects the Realty Portal – Agent plugin for WordPress, specifically versions 0.1.0 through 0.3.9. The root cause is a missing authorization check in the rp_user_profile() AJAX handler. This handler processes AJAX requests that include user meta key-value pairs submitted via POST parameters. Instead of validating or restricting these keys to a safe whitelist, the handler passes them directly to WordPress's update_user_meta() function. This function updates user metadata in the database, including critical keys like wp_capabilities, which define user roles and permissions. Because the plugin fails to restrict which meta keys can be updated, an authenticated user with minimal privileges (Subscriber or above) can overwrite their own wp_capabilities meta key to escalate their privileges to Administrator. This escalation grants full control over the WordPress site, enabling actions such as installing plugins, modifying content, or executing arbitrary code. The vulnerability is exploitable remotely without user interaction, increasing its risk. The CVSS v3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and no user interaction required. No official patches or fixes have been published yet, and no known exploits are reported in the wild as of the publication date. The vulnerability is categorized under CWE-862 (Missing Authorization).

This vulnerability allows attackers with minimal authenticated access to fully compromise affected WordPress sites by escalating their privileges to administrator. The impact includes unauthorized access to sensitive data, ability to modify or delete content, install malicious plugins or backdoors, and potentially pivot to other systems within the hosting environment. Organizations using the Realty Portal – Agent plugin are at risk of complete site takeover, data breaches, and reputational damage. Since WordPress powers a significant portion of websites globally, and this plugin targets real estate portals which often handle sensitive client information, the impact extends to privacy violations and business disruption. The ease of exploitation and high privileges gained make this a critical threat for any organization relying on this plugin without mitigations.

1. Immediately restrict access to the rp_user_profile() AJAX handler by implementing strict authorization checks to ensure only authorized roles can update user meta data. 2. Implement a whitelist of allowed meta keys that can be updated via AJAX requests, explicitly excluding critical keys such as wp_capabilities. 3. Update the plugin to a patched version once available from the vendor or disable the plugin temporarily if no fix exists. 4. Monitor user role changes and audit logs for suspicious privilege escalations. 5. Employ Web Application Firewalls (WAFs) with custom rules to detect and block attempts to modify wp_capabilities via AJAX POST requests. 6. Educate administrators to review user roles regularly and remove unnecessary Subscriber or low-privilege accounts. 7. Harden WordPress installations by limiting plugin usage to trusted and actively maintained plugins. 8. Consider implementing multi-factor authentication for administrator accounts to reduce risk from compromised credentials. 9. Backup site data regularly to enable recovery in case of compromise.