CVE-2025-4601: 
WordPress vulnerability analysis and mitigation

The RH - Real Estate WordPress Theme is affected by a critical Privilege Escalation vulnerability (CVE-2025-4601) discovered in June 2025. The vulnerability impacts all versions up to and including 4.4.0, affecting over 33,000 WordPress sites using the RealHomes theme on ThemeForest. The vulnerability carries a CVSS v3.1 score of 8.8 (HIGH) and was partially patched in version 4.4.0, with a full patch released in version 4.4.1 (Wiz, SecurityOnline).

The vulnerability exists in the inspiryupdateprofile() function, which fails to properly restrict user roles that can be updated. When the 'Show user role option in profile' setting is enabled, the function does not implement proper access controls, allowing users to modify their own role without restriction. The vulnerability has been assigned a CVSS v3.1 vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (Wordfence).

The vulnerability allows authenticated attackers with subscriber-level access or higher to escalate their privileges to administrator level. Once administrative access is gained, attackers can perform various malicious actions including uploading malicious plugins, injecting backdoors, modifying or deleting content, redirecting site visitors to malicious sites, and inserting spam or phishing pages (SecurityOnline).

The vulnerability has been fully patched in version 4.4.1 of the RealHomes WordPress theme. Site administrators are strongly urged to update to this version immediately, especially if they have enabled the 'Show user role option in profile' setting (SecurityOnline).