CVE-2025-2232
Published: 14 March 2025
Description
Adversaries may create an account to maintain access to victim systems.
Security Summary
CVE-2025-2232 is an authentication bypass vulnerability in the Realteo - Real Estate Plugin by Purethemes for WordPress, which is used by the Findeo Theme. It affects all versions up to and including 1.2.8 and stems from insufficient role restrictions in the 'do_register_user' function. This flaw enables unauthenticated attackers to register a new account with Administrator privileges. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is linked to CWE-269 (Improper Privilege Management).
Unauthenticated attackers can exploit this issue remotely over the network with low complexity and no user interaction or privileges required. By invoking the vulnerable registration function, they can create an Administrator account, achieving high-impact confidentiality, integrity, and availability effects, such as full site takeover, data exfiltration, content manipulation, and potential lateral movement within the environment.
Advisories and patch information are detailed in the Findeo changelog at https://docs.purethemes.net/findeo/knowledge-base/changelog-findeo/ and the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/abe73ecd-1325-4d6d-8545-d27f6116ca43?source=cve. Security practitioners should consult these sources for mitigation steps, including updating to a patched version where available.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is an auth bypass in a public-facing WordPress plugin allowing remote unauthenticated creation of an administrator account, directly mapping to exploitation of public-facing apps (T1190) and creation of a privileged account (T1136).