CVE-2025-8218
Published: 19 August 2025
Summary
CVE-2025-8218 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Themeforest (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 49.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2025-8218 is a privilege escalation vulnerability in the Real Spaces - WordPress Properties Directory Theme for WordPress, affecting all versions up to and including 3.5. The flaw arises from a lack of restrictions on the 'change_role_member' parameter during profile updates, enabling attackers to arbitrarily select their user role. Published on 2025-08-19, it is associated with CWE-269 (Improper Privilege Management) and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Unauthenticated attackers can exploit this vulnerability by manipulating the 'change_role_member' parameter during a profile update to escalate their privileges to any role, including Administrator. This grants full control over the affected WordPress site, allowing actions such as modifying content, installing plugins, or accessing sensitive data, with network accessibility and no user interaction required beyond low initial privileges per the CVSS vector.
Mitigation details are outlined in advisories referenced by the CVE, including Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/2d07880b-9af1-4b1e-aa70-b95ef10a6e33?source=cve and the theme's page on ThemeForest at https://themeforest.net/item/real-spaces-wordpress-real-estate-theme/8219779. Security practitioners should consult these sources for patch availability or workaround guidance specific to the theme.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-28797
Vulnerability details
The Real Spaces - WordPress Properties Directory Theme theme for WordPress is vulnerable to privilege escalation via the 'change_role_member' parameter in all versions up to, and including, 3.5. This is due to a lack of restriction in the profile update…
more
role. This makes it possible for unauthenticated attackers to arbitrarily choose their role, including the Administrator role, during a profile update.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct privilege escalation via improper role assignment in public-facing web app (WordPress), matching Exploitation for Privilege Escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires enforcement of approved authorizations during profile updates, directly preventing unauthorized privilege escalation via the unrestricted 'change_role_member' parameter.
Restricts user privileges to the minimum necessary, mitigating the ability of attackers to escalate to Administrator role through arbitrary role selection.
Establishes processes for managing account roles and privileges, ensuring restrictions on modifications like those exploited in the profile update vulnerability.