Introduction
A single plugin misconfiguration can allow attackers to seize control of an entire WordPress site. CVE-2025-11985 demonstrates how a missing capability check in a widely used real estate plugin can let any authenticated user escalate privileges to administrator. For organizations running property listing sites on WordPress, this vulnerability exposes the risk of total site compromise with minimal attacker effort.
About Realty Portal: Realty Portal is a feature-rich WordPress plugin for real estate professionals. It enables property listing management, agent profiles, and front-end submissions, and is distributed via the official WordPress plugin repository. While not as ubiquitous as WooCommerce, it is a popular choice for real estate sites seeking turnkey property management features.
Technical Information
CVE-2025-11985 is a privilege escalation vulnerability caused by a missing authorization check (CWE-862) in the Realty Portal plugin for WordPress. The problem exists in the rp_save_property_settings function, which is registered as an authenticated AJAX handler. This function is intended to allow privileged users to update property-related settings via AJAX requests. However, the function does not verify that the requesting user has the appropriate capability (such as manage_options) before updating WordPress options.
The vulnerable function is accessible to any authenticated user, including those with the lowest Subscriber role. Attackers can exploit this by sending a POST request to wp-admin/admin-ajax.php with the action parameter set to rp_save_property_settings and arbitrary option values in the request body. Critically, the attacker can set the users_can_register option to 1 (enabling public user registration) and the default_role option to administrator (making all new users administrators). This allows the attacker to register a new account with full administrative privileges, resulting in complete site takeover.
The root cause is the absence of a capability check using current_user_can before calling update_option. The function should have verified that the user has the manage_options capability before allowing any option updates. This missing check is a well-known security pitfall in WordPress plugin development.
Relevant code locations (from public sources):
Affected Systems and Versions
- Product: Realty Portal WordPress Plugin
- Affected Versions: 0.1 through 0.4.1 (inclusive)
- Any WordPress site with one of these versions installed and activated is vulnerable
- The vulnerability is present regardless of site configuration, as long as the plugin is active and user registration is possible
Vendor Security History
There is no public record of previous security advisories or a strong security track record for the Realty Portal plugin vendor. No official patch or response has been released as of the publication date. The vendor's security maturity and response time are unclear.
