Platform
wordpress
Component
wp-realestate
Fixed in
1.6.27
CVE-2025-2237 represents a critical privilege escalation vulnerability discovered in the WP RealEstate plugin for WordPress, commonly used with the Homeo theme. This flaw allows unauthenticated attackers to bypass role restrictions and register an account with administrator privileges, effectively gaining complete control over the WordPress site. The vulnerability impacts versions 1.0.0 through 1.6.26, and a patch is available from the vendor.
The impact of CVE-2025-2237 is severe. An attacker exploiting this vulnerability can gain full administrative access to the WordPress site without any prior authentication. This allows them to modify content, install malicious plugins, steal sensitive data (user credentials, financial information, customer data), deface the website, or even completely compromise the server. The ability to register as an administrator bypasses standard WordPress security measures and represents a significant risk to website integrity and data confidentiality. This vulnerability is particularly concerning given the widespread use of WordPress and the potential for large-scale compromise if exploited.
CVE-2025-2237 was publicly disclosed on April 1, 2025. While no public proof-of-concept (PoC) code has been released at the time of writing, the ease of exploitation (unauthenticated administrator registration) suggests a high probability of exploitation. The vulnerability has not yet been added to the CISA KEV catalog, but its criticality warrants close monitoring. Active campaigns targeting WordPress plugins are common, increasing the likelihood of exploitation.
Exploit Status
EPSS
0.80% (74% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-2237 is to immediately upgrade the WP RealEstate plugin to a patched version. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting user registration to known, trusted administrators. While not a complete solution, this can limit the immediate risk. Review user accounts for any suspicious entries created around the time of the vulnerability's disclosure. Implement a Web Application Firewall (WAF) with rules to block suspicious registration attempts or requests targeting the 'process_register' endpoint. After upgrading, verify the fix by attempting to register a new user without authentication and confirming that the registration fails with an appropriate error message.
Update the WP RealEstate plugin to a patched version (greater than 1.6.26) to mitigate the privilege escalation vulnerability. Check for updates in the WordPress repository or on the developer's website. Implement additional security measures, such as user role limiting and regular permission reviews.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-2237 is a critical vulnerability in the WP RealEstate plugin for WordPress allowing unauthenticated attackers to register as administrators, gaining full control of the site. It affects versions 1.0.0–1.6.26.
Yes, if your WordPress site uses the WP RealEstate plugin and is running version 1.0.0 through 1.6.26, you are vulnerable to this privilege escalation attack.
Upgrade the WP RealEstate plugin to the latest available version, as the vendor has released a patch to address this vulnerability. If immediate upgrade is not possible, restrict user registration.
While no public exploits are currently known, the ease of exploitation suggests a high probability of active exploitation. Monitor your site closely.
Refer to the official WP RealEstate plugin website or WordPress.org plugin repository for the latest security advisory and patch information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.