Plattform
wordpress
Komponente
reveal-listing
Behoben in
3.3.1
CVE-2025-6994 is a privilege escalation vulnerability affecting the Reveal Listing plugin for WordPress. This flaw allows unauthenticated attackers to elevate their privileges to administrator level by manipulating user registration parameters. The vulnerability impacts versions 0.0.0 through 3.3 of the plugin. A patch is expected from the vendor.
The impact of this vulnerability is severe. An attacker can bypass authentication and directly gain administrator access to a WordPress site running the vulnerable plugin. This grants them complete control over the site, including the ability to modify content, install malicious plugins, steal sensitive data (user credentials, customer information, financial data), and potentially pivot to other systems on the network. The ease of exploitation – simply creating an account with a specified role – significantly increases the risk of widespread compromise.
This vulnerability was publicly disclosed on 2025-08-06. No public proof-of-concept (PoC) code has been released at the time of writing, but the simplicity of the exploit suggests a high probability of exploitation. It is not currently listed on CISA KEV. Given the ease of exploitation and the potential impact, organizations using this plugin should prioritize patching.
WordPress sites utilizing the Reveal Listing plugin, particularly those with open user registration enabled or lacking robust role-based access controls, are at significant risk. Shared hosting environments where multiple websites share the same server resources are also vulnerable, as a compromise of one site could potentially lead to lateral movement to others.
• wordpress / composer / npm:
grep -r 'listing_user_role' /var/www/html/wp-content/plugins/reveal-listing/• wordpress / composer / npm:
wp plugin list --status=inactive | grep reveal-listing• wordpress / composer / npm:
wp plugin update --all• generic web: Check WordPress plugin directory for updates to Reveal Listing.
disclosure
Exploit-Status
EPSS
0.20% (42% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to immediately upgrade the Reveal Listing plugin to a version that addresses this vulnerability. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. While not a complete solution, implementing strict user role management within WordPress, limiting the number of administrator accounts, and regularly auditing user permissions can reduce the potential impact. There are no specific WAF rules or detection signatures readily available for this specific vulnerability, making prompt patching crucial.
Aktualisieren Sie das Reveal Listing Plugin auf die neueste verfügbare Version, um die Privilege Escalation-Schwachstelle zu beheben. Überprüfen Sie die Updates im WordPress-Repository oder auf der Website des Entwicklers. Überprüfen Sie außerdem die Benutzerberechtigungen und Rollenkonfigurationen, um sicherzustellen, dass nur autorisierte Benutzer Zugriff auf administrative Funktionen haben.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-6994 is a critical vulnerability in the Reveal Listing WordPress plugin allowing unauthenticated attackers to gain administrator privileges by manipulating user registration parameters.
If you are using Reveal Listing plugin versions 0.0.0 through 3.3 on your WordPress site, you are potentially affected by this vulnerability.
Upgrade to a patched version of the Reveal Listing plugin as soon as it becomes available. Until then, disable user registration or implement stricter role assignment controls.
While no public exploits are currently known, the ease of exploitation suggests a high probability of exploitation if left unpatched.
Check the smartdatasoft website and WordPress plugin directory for updates and advisories related to CVE-2025-6994.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.