A critical privilege escalation vulnerability, identified as CVE-2025-6994, has been discovered in the Reveal Listing plugin for WordPress. This flaw allows a low-privileged user, such as a new registrant, to gain administrative access to the affected WordPress site during the registration process. Successful exploitation could result in a complete compromise of the website, leading to data theft, defacement, or further attacks originating from the compromised server.

The vulnerability exists within the user registration functionality of the Reveal Listing plugin. The registration process fails to properly sanitize or validate the user role parameter submitted by a new user. An unauthenticated attacker can craft a special registration request, injecting a parameter to assign their new account the 'administrator' role, bypassing the default 'subscriber' role assignment. This grants the attacker full administrative privileges upon account creation.

This vulnerability is rated as critical severity with a CVSS score of 9.8. A successful exploit would grant an attacker complete control over the affected WordPress website. This could lead to severe business consequences, including the theft of sensitive customer data and intellectual property, reputational damage from website defacement, financial loss if the site is used for e-commerce, and legal or regulatory penalties. The compromised website could also be used to host malware, launch phishing campaigns against customers, or act as a pivot point for further attacks into the corporate network.

Immediate Action: Immediately update the Reveal Listing plugin to the latest patched version provided by the vendor, smartdatasoft. After patching, it is crucial to review all existing user accounts, especially those with high privileges, to identify and remove any unauthorized accounts that may have been created by exploiting this vulnerability.

Proactive Monitoring: System administrators should actively monitor web server access logs for suspicious POST requests to user registration endpoints. Specifically, look for registration attempts that contain unexpected parameters related to user roles (e.g., role=administrator). Additionally, implement alerts for the creation of any new user account with administrative-level privileges.

Compensating Controls: If immediate patching is not feasible, consider the following controls:

• Temporarily disable user registration functionality on the website if it is not a critical feature.
• Implement a Web Application Firewall (WAF) with custom rules to inspect and block registration requests containing user role parameters.
• Enforce a manual review and approval process for all new user registrations.

Public Exploit Available: false

Given the critical severity (CVSS 9.8) of this vulnerability, we strongly recommend that organizations using the affected plugin apply the vendor-supplied patch immediately. The risk of a full website compromise is high. Although this CVE is not currently on the CISA KEV list, its characteristics make it a prime candidate for future inclusion and widespread exploitation. Prioritize patching this vulnerability across all relevant assets without delay and conduct a thorough audit for signs of compromise.