CVE-2025-6190: 
WordPress vulnerability analysis and mitigation

The Realty Portal – Agent plugin for WordPress (versions 0.1.0 through 0.3.9) contains a Privilege Escalation vulnerability identified as CVE-2025-6190. The vulnerability was discovered and reported by Wordfence on July 22, 2025. This security issue affects the rpuserprofile() AJAX handler functionality within the plugin (NVD).

The vulnerability stems from missing authorization within the rpuserprofile() AJAX handler. The handler reads client-supplied meta key and value pairs from $POST and passes them directly to updateuser_meta() without implementing a safe whitelist restriction. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating a serious security risk. The vulnerability is classified under CWE-862 (Missing Authorization) (Wordfence).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to overwrite the wp_capabilities meta and elevate their privileges to administrator role. This represents a critical security breach as it enables unauthorized users to gain full administrative control over the WordPress installation (NVD).

The plugin has been temporarily closed as of July 21, 2025, pending a full security review. Users are advised to disable and remove the plugin until a patched version becomes available (WordPress Plugin).