CVE-2025-6190

Name of the Vulnerable Software and Affected Versions Realty Portal – Agent plugin for WordPress versions 0.1.0 through 0.3.9

Description The Realty Portal – Agent plugin for WordPress contains a flaw due to missing authorization within the rp user profile() AJAX handler. The handler retrieves client-supplied meta key and value pairs from $ POST and passes them directly to update user meta() without proper restrictions. This allows authenticated attackers with Subscriber-level access or higher to modify the wp capabilities meta and obtain administrator privileges.

Recommendations Update to a version beyond 0.3.9.