CVE-2025-5117: 
WordPress vulnerability analysis and mitigation

The Property plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the use of the propertypackageuserrole metadata in versions 1.0.5 to 1.0.6. This vulnerability allows authenticated attackers with Author-level access and above to elevate their privileges to administrator level by creating a package post with propertypackageuserrole set to administrator and submitting the PayPal registration form (NVD).

The vulnerability exists in the PayPal registration form submission process where there is no proper capability check when setting the user role. The vulnerable code is located in paypal-submit.php where the rolepackage value from propertypackageuserrole metadata is directly assigned to the user without validation (WordPress Plugin). The vulnerability has been assigned a CVSS v3.1 base score of 8.8 HIGH with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

Successful exploitation allows authenticated attackers to elevate their privileges to administrator level, potentially gaining full control over the WordPress site. This could lead to unauthorized access to sensitive information, modification of site content, installation of malicious plugins, and complete site compromise (NVD).

The vulnerability has been patched in version 1.0.7 of the Property plugin. Site administrators should update to this version immediately. If immediate updating is not possible, consider temporarily disabling the PayPal registration functionality or restricting access to the package post creation feature (WordPress Plugin).