平台
wordpress
组件
wp-realestate
修复版本
1.6.27
CVE-2025-2237 represents a critical privilege escalation vulnerability discovered in the WP RealEstate plugin for WordPress, commonly used with the Homeo theme. This flaw allows unauthenticated attackers to bypass role restrictions and register an account with administrator privileges, effectively gaining complete control over the WordPress site. The vulnerability impacts versions 1.0.0 through 1.6.26, and a patch is available from the vendor.
The impact of CVE-2025-2237 is severe. An attacker exploiting this vulnerability can gain full administrative access to the WordPress site without any prior authentication. This allows them to modify content, install malicious plugins, steal sensitive data (user credentials, financial information, customer data), deface the website, or even completely compromise the server. The ability to register as an administrator bypasses standard WordPress security measures and represents a significant risk to website integrity and data confidentiality. This vulnerability is particularly concerning given the widespread use of WordPress and the potential for large-scale compromise if exploited.
CVE-2025-2237 was publicly disclosed on April 1, 2025. While no public proof-of-concept (PoC) code has been released at the time of writing, the ease of exploitation (unauthenticated administrator registration) suggests a high probability of exploitation. The vulnerability has not yet been added to the CISA KEV catalog, but its criticality warrants close monitoring. Active campaigns targeting WordPress plugins are common, increasing the likelihood of exploitation.
Websites utilizing the WP RealEstate plugin, particularly those running versions 1.0.0 through 1.6.26, are at significant risk. Shared hosting environments are especially vulnerable as they often have limited control over plugin updates and security configurations. Sites relying on the Homeo theme, which frequently integrates with WP RealEstate, are also directly impacted.
• wordpress / composer / npm:
wp plugin list | grep 'WP RealEstate'• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
wp plugin status | grep 'WP RealEstate'• wordpress / composer / npm:
wp option get admin_email # Check for suspicious admin email addressesdisclosure
漏洞利用状态
EPSS
0.80% (74% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-2237 is to immediately upgrade the WP RealEstate plugin to a patched version. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting user registration to known, trusted administrators. While not a complete solution, this can limit the immediate risk. Review user accounts for any suspicious entries created around the time of the vulnerability's disclosure. Implement a Web Application Firewall (WAF) with rules to block suspicious registration attempts or requests targeting the 'process_register' endpoint. After upgrading, verify the fix by attempting to register a new user without authentication and confirming that the registration fails with an appropriate error message.
将 WP RealEstate 插件更新到已修复的版本(高于 1.6.26)以缓解权限提升漏洞。在 WordPress 仓库或开发人员网站上检查是否有可用的更新。实施额外的安全措施,例如限制用户角色和定期审查权限。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-2237 is a critical vulnerability in the WP RealEstate plugin for WordPress allowing unauthenticated attackers to register as administrators, gaining full control of the site. It affects versions 1.0.0–1.6.26.
Yes, if your WordPress site uses the WP RealEstate plugin and is running version 1.0.0 through 1.6.26, you are vulnerable to this privilege escalation attack.
Upgrade the WP RealEstate plugin to the latest available version, as the vendor has released a patch to address this vulnerability. If immediate upgrade is not possible, restrict user registration.
While no public exploits are currently known, the ease of exploitation suggests a high probability of active exploitation. Monitor your site closely.
Refer to the official WP RealEstate plugin website or WordPress.org plugin repository for the latest security advisory and patch information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。