A high-severity vulnerability exists within the Realty Portal plugin for WordPress, identified as CVE-2025-11985. The flaw allows any authenticated user, regardless of their permission level, to modify plugin settings, which can be exploited to gain administrative control over the affected website. Successful exploitation could lead to a full site compromise, data theft, or website defacement.

The vulnerability is a Broken Access Control issue caused by a missing capability check on the rp_save_property_settings function. This function is responsible for saving the plugin's configuration settings. Because it fails to verify that the user making the request has the appropriate administrative permissions, any authenticated user (including low-privileged roles like 'subscriber') can craft a direct request to this function to alter critical settings. An attacker can leverage this to escalate their privileges, potentially to a full administrator role, by manipulating settings that control user permissions or other security-sensitive configurations.

This vulnerability is rated as High severity with a CVSS score of 8.8. A successful exploit would grant an attacker administrative control over the WordPress site, leading to severe business consequences. These include, but are not limited to, the theft of sensitive user data and intellectual property, website defacement causing significant reputational damage, injection of malware to attack site visitors, and the complete loss of website integrity. The compromised website could also be used as a platform to launch further attacks against other systems, creating additional legal and financial liabilities for the organization.

Immediate Action:

• Immediately identify all WordPress instances running the "Realty Portal" plugin.
• Update the plugin to the latest patched version as recommended by the vendor to resolve the vulnerability.
• If the "Realty Portal" plugin is not essential for business operations, consider deactivating and removing it to eliminate the attack surface.

Proactive Monitoring:

• Review web server access logs for suspicious POST requests targeting the administrative functions of the Realty Portal plugin, particularly those originating from non-administrative users.
• Monitor the WordPress user database for any unauthorized creation of new administrator accounts or unexpected changes to the roles and capabilities of existing users.
• Implement file integrity monitoring to detect unauthorized changes to WordPress core files, themes, or plugins.

Compensating Controls:

• If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with rules specifically designed to block malicious requests targeting the vulnerable rp_save_property_settings function.
• Restrict access to the WordPress administrative dashboard (/wp-admin/) to only trusted IP addresses.
• Enforce Multi-Factor Authentication (MFA) for all users, especially those with administrative privileges, to add another layer of security against account takeovers.

Public Exploit Available: false

Given the high CVSS score of 8.8 and the direct path to privilege escalation, this vulnerability presents a critical risk to the organization. We strongly recommend that all affected instances of the Realty Portal plugin be updated to a patched version with the highest priority. Although this CVE is not yet on the CISA KEV list, the ease of exploitation necessitates immediate action. Following the update, a security audit should be performed on affected websites to search for any signs of prior compromise, such as unauthorized user accounts or suspicious files.