CVE-2025-7718: 
WordPress vulnerability analysis and mitigation

The Resideo Plugin for Resideo - Real Estate WordPress Theme plugin for WordPress contains a privilege escalation vulnerability (CVE-2025-7718) affecting all versions up to and including 2.5.4. The vulnerability was disclosed on September 10, 2025 and was discovered by Wordfence security researchers (NVD, Wordfence).

The vulnerability stems from improper user identity validation when updating user details like email addresses. It has been assigned a CVSS v3.1 base score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key) (NVD).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to modify arbitrary user email addresses, including those of administrators. By changing email addresses, attackers can leverage password reset functionality to gain unauthorized access to user accounts, potentially leading to complete administrative control of the WordPress installation (NVD).

Users should immediately update the Resideo Plugin for Resideo - Real Estate WordPress Theme to a version newer than 2.5.4 when available. No specific workarounds have been publicly documented (Wordfence).