PT-2025-24607 · WordPress · Rh - Real Estate Wordpress Theme
Thái An
·
Published
2025-06-10
·
Updated
2025-07-17
·
CVE-2025-4601
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
RH - Real Estate WordPress Theme versions prior to 4.4.1
Description
The issue is related to privilege escalation due to the theme not properly restricting user roles that can be updated as part of the
inspiry update profile() function. This allows authenticated attackers with subscriber-level access and above to set their role to that of an administrator.Recommendations
For versions prior to 4.4.1, update to version 4.4.1 to fully patch the vulnerability.
As a temporary workaround, consider restricting access to the
inspiry update profile() function until the issue is resolved.Fix
LPE
Improper Privilege Management
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Rh - Real Estate Wordpress Theme