PT-2025-22985 · WordPress · Property Plugin
Kenneth Dunn
·
Published
2025-05-27
·
Updated
2025-05-27
·
CVE-2025-5117
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Property plugin for WordPress versions 1.0.5 through 1.0.6
Description
The issue is related to a missing capability check on the use of the
property package user role metadata. This allows authenticated attackers with Author-level access and above to elevate their privileges to that of an administrator. The exploitation involves creating a package post with the property package user role set to administrator and then submitting the PayPal registration form.Recommendations
For versions 1.0.5 through 1.0.6, consider disabling the use of the
property package user role metadata until a patch is available. Restrict access to the package post creation feature to minimize the risk of exploitation. Avoid using the property package user role metadata in the affected plugin until the issue is resolved.Fix
LPE
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Property Plugin