CVE-2025-3609
Reales WP STPT <= 2.1.2 - Unauthorized User Registration
Severity Score
5.3
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Attend
*SSVC
Descriptions
The Reales WP STPT plugin for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 2.1.2. This is due to the 'reales_user_signup_form' AJAX action not verifying if user registration is enabled, prior to registering a user. This makes it possible for unauthenticated attackers to create new user accounts, which can be leveraged with CVE-XX to achieve privilege escalation.
*Credits:
Friderika Baranyai
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Attend
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2025-04-14 CVE Reserved
- 2025-05-05 CVE Published
- 2025-05-06 CVE Updated
- 2025-06-07 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-863: Incorrect Authorization
CAPEC
References (2)
URL | Tag | Source |
---|---|---|
https://themeforest.net/item/reales-wp-real-estate-wordpress-theme/10330568 | ||
https://www.wordfence.com/threat-intel/vulnerabilities/id/f9f3250f-39a1-4ba1-b9a2-222926635ca0?source=cve |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Pixel Prime Search vendor "Pixel Prime" | Reales WP STPT Search vendor "Pixel Prime" for product "Reales WP STPT" | <= 2.1.2 Search vendor "Pixel Prime" for product "Reales WP STPT" and version " <= 2.1.2" | en |
Affected
|