CVE-2025-6758 is a critical vulnerability affecting the Real Spaces - WordPress Properties Directory Theme developed by imithemes, specifically versions up to and including 3.6. The vulnerability arises from improper privilege management (CWE-269) in the 'imic_agent_register' function, which handles user registration. Due to insufficient restrictions on the role assignment during registration, an unauthenticated attacker can arbitrarily specify their user role, including the Administrator role. This privilege escalation flaw allows attackers to gain full administrative control over the affected WordPress site without any authentication or user interaction. The vulnerability has a CVSS v3.1 score of 9.8, indicating a critical severity with network attack vector, no required privileges, no user interaction, and high impact on confidentiality, integrity, and availability. Exploiting this flaw could enable attackers to manipulate site content, install malicious plugins or backdoors, exfiltrate sensitive data, or disrupt site operations. Although no known exploits are currently reported in the wild, the ease of exploitation and the critical impact make this vulnerability a high-risk threat for any WordPress site using the affected theme. The lack of available patches at the time of publication further increases the urgency for mitigation.

For European organizations, this vulnerability poses a significant risk, especially for real estate agencies, property management companies, and other businesses relying on the Real Spaces WordPress theme to manage property listings. Successful exploitation could lead to complete site takeover, resulting in data breaches involving personal and financial information of clients and users, reputational damage, and potential regulatory non-compliance under GDPR due to unauthorized access and data exposure. The ability to escalate privileges without authentication means attackers can operate stealthily and persistently. Additionally, compromised sites could be used as launchpads for further attacks within organizational networks or for distributing malware to visitors. The impact extends beyond individual organizations to their customers and partners, amplifying the threat landscape in Europe’s digital ecosystem.

Given the absence of an official patch at the time of reporting, European organizations should implement immediate compensating controls. These include disabling or restricting the 'imic_agent_register' function if possible, or temporarily disabling user registration on affected sites. Organizations should audit current user roles to detect any unauthorized administrator accounts and remove them promptly. Employing Web Application Firewalls (WAFs) with custom rules to block suspicious registration requests or role assignments can help mitigate exploitation attempts. Monitoring logs for unusual registration activity and privilege escalations is critical. Organizations should also plan to update the theme to a patched version as soon as it becomes available. Additionally, enforcing multi-factor authentication for administrative access and limiting administrative privileges to trusted personnel can reduce the impact of potential compromises. Regular backups and incident response plans should be reviewed and tested to ensure rapid recovery if exploitation occurs.