CVE-2025-7718
BaseFortify
Publication date: 2025-09-10
Last updated on: 2025-09-11
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| resideo | real_estate_wordpress_theme | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Resideo Plugin for the Resideo - Real Estate WordPress Theme plugin for WordPress, affecting all versions up to and including 2.5.4. It allows an authenticated attacker with Subscriber-level access or higher to escalate their privileges by taking over other user accounts. This is possible because the plugin does not properly verify a user's identity before allowing updates to sensitive details like email addresses. An attacker can change another user's email address, including administrators, then use that to reset the user's password and gain access to their account.
How can this vulnerability impact me? :
This vulnerability can have a severe impact by allowing attackers with low-level access to escalate their privileges to administrator level. They can take over administrator accounts by changing email addresses and resetting passwords, potentially leading to full control over the WordPress site. This can result in unauthorized access, data breaches, site defacement, or other malicious activities.