CVE-2025-6934
📋 TL;DR
This vulnerability allows unauthenticated attackers to register accounts with Administrator privileges on WordPress sites using the Opal Estate Pro plugin. Any WordPress site with this plugin enabled is affected, particularly those using the FullHouse theme. Attackers can gain full control of vulnerable websites without any authentication.
💻 Affected Systems
- Opal Estate Pro - Property Management and Submission plugin for WordPress
- FullHouse - Real Estate Responsive WordPress Theme
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover - attackers gain Administrator access, can deface websites, steal data, install backdoors, or use the site for further attacks.
Likely Case
Attackers create admin accounts to maintain persistent access, potentially leading to data theft, malware distribution, or site defacement.
If Mitigated
With registration disabled or proper role validation, impact is limited to attempted attacks that fail.
🎯 Exploit Status
Simple HTTP POST request manipulation to set user role parameter during registration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 1.7.5
Vendor Advisory: https://plugins.trac.wordpress.org/browser/opal-estate-pro/trunk/
Restart Required: No
Instructions:
1. Update Opal Estate Pro plugin to latest version. 2. Verify user registration role validation is implemented. 3. Review recently created user accounts for suspicious admin accounts.
🔧 Temporary Workarounds
Disable User Registration
allDisable new user registration in WordPress settings to prevent exploitation.
WordPress Admin Dashboard → Settings → General → Membership: Uncheck 'Anyone can register'
Deactivate Vulnerable Plugin
allTemporarily deactivate Opal Estate Pro plugin until patched.
WordPress Admin Dashboard → Plugins → Installed Plugins → Deactivate Opal Estate Pro
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block registration requests with role parameter manipulation
- Monitor user registration logs and audit newly created administrator accounts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → Opal Estate Pro version. If version ≤1.7.5 and registration enabled, site is vulnerable.Check Version:
WordPress: Check plugin version in admin panel. CLI: grep -r "Version:" wp-content/plugins/opal-estate-pro/opal-estate-pro.phpVerify Fix Applied:
After update, test registration with role parameter manipulation - should fail or default to subscriber role.📡 Detection & Monitoring
Log Indicators:
- Multiple user registration attempts with role parameters
- New administrator accounts created from unusual IPs
- POST requests to /wp-login.php?action=register with role=administrator
Network Indicators:
- HTTP POST to registration endpoints with role parameter manipulation
- Unusual registration traffic patterns
SIEM Query:
source="wordpress" AND (uri_path="/wp-login.php" OR uri_path="/wp-admin/admin-ajax.php") AND (post_param="role" OR post_param="user_role") AND post_param_value="administrator"🔗 References
- https://plugins.trac.wordpress.org/browser/opal-estate-pro/trunk/inc/user/class-opalestate-user.php#L228
- https://plugins.trac.wordpress.org/browser/opal-estate-pro/trunk/inc/user/class-opalestate-user.php#L235
- https://themeforest.net/item/fullhouse-real-estate-responsive-wordpress-theme/16179481
- https://www.wordfence.com/threat-intel/vulnerabilities/id/5d7b75a4-67b4-4347-91a6-dbf98da5ceaf?source=cve
