CVE-2025-3609
📋 TL;DR
The Reales WP STPT WordPress plugin allows unauthenticated attackers to create user accounts without permission checks. This affects all WordPress sites using the plugin up to version 2.1.2. Attackers can register arbitrary accounts which could be combined with other vulnerabilities for privilege escalation.
💻 Affected Systems
- Reales WP STPT WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers create administrative accounts, take full control of the WordPress site, and potentially compromise the entire web server.
Likely Case
Attackers create multiple user accounts to spam, deface content, or use as footholds for further attacks.
If Mitigated
Limited to account creation only, with proper monitoring detecting unusual registration activity.
🎯 Exploit Status
Simple HTTP POST request to vulnerable AJAX endpoint without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.3 or later
Vendor Advisory: https://themeforest.net/item/reales-wp-real-estate-wordpress-theme/10330568
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find Reales WP STPT plugin. 4. Click 'Update Now' if update available. 5. If no update, deactivate and remove plugin.
🔧 Temporary Workarounds
Disable User Registration
allDisable user registration in WordPress settings to prevent account creation.
Block AJAX Endpoint
linuxUse web application firewall or .htaccess to block access to the vulnerable AJAX endpoint.
# Add to .htaccess
RewriteCond %{REQUEST_URI} ^/wp-admin/admin-ajax\.php$
RewriteCond %{QUERY_STRING} action=reales_user_signup_form
RewriteRule ^ - [F]
🧯 If You Can't Patch
- Deactivate and remove the Reales WP STPT plugin immediately.
- Implement strict monitoring for unusual user registration activity and new user accounts.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins for Reales WP STPT version 2.1.2 or earlier.Check Version:
wp plugin list --name=reales-wp-stpt --field=versionVerify Fix Applied:
Confirm plugin version is 2.1.3 or later, or plugin is removed.📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /wp-admin/admin-ajax.php with action=reales_user_signup_form
- Unusual spike in user registrations
Network Indicators:
- HTTP POST to admin-ajax.php with user registration parameters from unauthenticated sources
SIEM Query:
source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND method="POST" AND params.action="reales_user_signup_form"