CVE-2025-3610: 
WordPress vulnerability analysis and mitigation

The Reales WP STPT plugin for WordPress contains a privilege escalation vulnerability (CVE-2025-3610) affecting all versions up to and including 2.1.2. The vulnerability was disclosed on May 5, 2025, and stems from improper validation of user identity before allowing updates to user details (NVD, Wiz).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. It is classified as CWE-639 (Authorization Bypass Through User-Controlled Key). The core issue lies in the plugin's failure to properly validate a user's identity prior to updating their details such as passwords (NVD, Wiz).

This vulnerability enables authenticated attackers with subscriber-level access or higher to modify arbitrary users' passwords and email addresses, including those of administrators. When combined with CVE-2025-3609, it can potentially lead to remote code execution even for initially unauthenticated users (NVD, Wiz).

Users are advised to update their Reales WP STPT plugin to a version newer than 2.1.2 when available. Until then, site administrators should carefully monitor user account activities and consider restricting subscriber-level access (Wiz).