A critical privilege escalation vulnerability has been identified in The Real Spaces WordPress theme, affecting multiple products. This flaw allows an unauthenticated attacker to create a new user account with full administrative privileges, potentially leading to a complete compromise of the affected website. Successful exploitation could result in data theft, website defacement, or the distribution of malware to visitors.

The vulnerability exists within the imic_agent_register function, which handles new user registrations. The function fails to properly sanitize or validate the user role data submitted during the registration process. An unauthenticated attacker can craft a malicious request to the registration endpoint, supplying parameters that assign the 'administrator' role to the newly created account, thereby escalating their privileges from a non-existent user to a full administrator.

This is a critical severity vulnerability with a CVSS score of 9.8. A successful exploit grants an attacker complete control over the WordPress website, posing a significant risk to the business. Potential consequences include the theft of sensitive customer or business data, unauthorized modification of website content, reputational damage, and financial loss. The compromised website could also be used to host phishing campaigns, distribute malware, or act as a pivot point for further attacks into the corporate network.

Immediate Action: Immediately update The Real Spaces Multiple Products to the latest version provided by the vendor to patch the vulnerability. After updating, review all existing user accounts, particularly those with administrative privileges, to identify and remove any unauthorized accounts that may have been created.

Proactive Monitoring: Monitor web server access logs for an unusual volume of requests to user registration pages or direct calls to the imic_agent_register function. Implement alerts for the creation of new administrative accounts. Regularly review site integrity by monitoring for unexpected file changes, new plugin installations, or modifications to core WordPress files.

Compensating Controls: If immediate patching is not feasible, consider implementing the following controls:

• Deploy a Web Application Firewall (WAF) with rules specifically designed to block malicious payloads targeting the user registration function.
• Temporarily disable user registration functionality on the website if it is not a critical business feature.
• Enforce multi-factor authentication (MFA) for all administrative accounts to add an extra layer of security.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the low complexity of exploitation, immediate action is required. Organizations using the affected WordPress theme must prioritize applying the vendor-supplied patch without delay to prevent a full website compromise. Although this vulnerability is not currently listed on the CISA KEV catalog, its high severity and potential impact make it a prime candidate for future inclusion and widespread exploitation.