Platform
wordpress
Component
real-spaces
Fixed in
3.6.1
CVE-2025-6758 represents a critical privilege escalation vulnerability discovered in the Real Spaces - WordPress Properties Directory Theme. This flaw allows unauthenticated attackers to escalate their privileges to the Administrator role during user registration, granting them complete control over the WordPress site. The vulnerability impacts versions 0.0.0 through 3.6 of the theme, and a patch is expected to be released by the vendor.
The impact of this vulnerability is severe. An attacker exploiting CVE-2025-6758 can gain full administrative access to the WordPress site without any prior authentication. This allows them to modify content, install malicious plugins, steal sensitive data (user credentials, database information), and potentially compromise the entire server. The attacker could deface the website, inject malware, or use the site as a launchpad for further attacks against other systems on the network. This vulnerability is particularly concerning given the popularity of WordPress and the potential for widespread exploitation.
CVE-2025-6758 was publicly disclosed on 2025-08-19. The vulnerability's ease of exploitation, combined with the widespread use of WordPress, suggests a high probability of exploitation. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's simplicity makes it likely that a PoC will emerge soon. Monitor security advisories and threat intelligence feeds for updates.
Exploit Status
EPSS
0.24% (47% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-6758 is to upgrade to a patched version of the Real Spaces theme as soon as it becomes available. Until a patch is released, consider temporarily disabling user registration or implementing stricter role-based access controls within WordPress. Web application firewalls (WAFs) configured to detect and block suspicious registration attempts could provide an additional layer of protection. Monitor WordPress logs for unusual user registration activity, particularly registrations with elevated roles. After upgrading, verify the fix by attempting a user registration and confirming that role assignment is restricted to authorized users.
Update the Real Spaces theme to a version later than 3.6. This update addresses the privilege escalation vulnerability by restricting role selection during user registration, preventing unauthenticated attackers from assigning themselves the administrator role.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-6758 is a critical vulnerability in the Real Spaces WordPress Properties Directory Theme allowing unauthenticated users to escalate privileges to Administrator. This impacts versions 0.0.0–3.6.
If you are using the Real Spaces WordPress Properties Directory Theme version 0.0.0 through 3.6, you are potentially affected by this privilege escalation vulnerability.
Upgrade to a patched version of the Real Spaces theme as soon as it becomes available. Until then, disable user registration or implement stricter role-based access controls.
While no public exploits are currently known, the vulnerability's simplicity suggests a high probability of exploitation. Monitor security advisories for updates.
Refer to the vendor's website or WordPress plugin repository for the official advisory and patch release information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.