CVE-2025-2232
Published: 14 March 2025
Summary
CVE-2025-2232 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Purethemes Realteo. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-2 requires establishment of conditions for account creation and role assignment, directly mitigating the insufficient role restrictions in the 'do_register_user' function that allow unauthenticated admin registration.
AC-6 enforces least privilege by restricting privileges to the minimum necessary, preventing new registrations from being assigned Administrator roles without authorization.
AC-3 mandates enforcement of access control policies, addressing the plugin's failure to restrict unauthenticated access to elevated privilege assignment during registration.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an auth bypass in a public-facing WordPress plugin allowing remote unauthenticated creation of an administrator account, directly mapping to exploitation of public-facing apps (T1190) and creation of a privileged account (T1136).
NVD Description
The Realteo - Real Estate Plugin by Purethemes plugin for WordPress, used by the Findeo Theme, is vulnerable to authentication bypass in all versions up to, and including, 1.2.8. This is due to insufficient role restrictions in the 'do_register_user' function.…
more
This makes it possible for unauthenticated attackers to register an account with the Administrator role.
Deeper analysisAI
CVE-2025-2232 is an authentication bypass vulnerability in the Realteo - Real Estate Plugin by Purethemes for WordPress, which is used by the Findeo Theme. It affects all versions up to and including 1.2.8 and stems from insufficient role restrictions in the 'do_register_user' function. This flaw enables unauthenticated attackers to register a new account with Administrator privileges. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is linked to CWE-269 (Improper Privilege Management).
Unauthenticated attackers can exploit this issue remotely over the network with low complexity and no user interaction or privileges required. By invoking the vulnerable registration function, they can create an Administrator account, achieving high-impact confidentiality, integrity, and availability effects, such as full site takeover, data exfiltration, content manipulation, and potential lateral movement within the environment.
Advisories and patch information are detailed in the Findeo changelog at https://docs.purethemes.net/findeo/knowledge-base/changelog-findeo/ and the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/abe73ecd-1325-4d6d-8545-d27f6116ca43?source=cve. Security practitioners should consult these sources for mitigation steps, including updating to a patched version where available.
Details
- CWE(s)