CVE-2025-3610 in Reales WP STPT Plugin
Summary
by MITRE • 05/06/2025
The Reales WP STPT plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.1.2. This is due to the plugin not properly validating a user's identity prior to updating their details like password. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's passwords and email addresses, including administrators, and leverage that to gain access to their account. This can be combined with CVE-2025-3609 to achieve remote code execution as an originally unauthenticated user with no account.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/06/2025
The vulnerability identified as CVE-2025-3610 affects the Reales WP STPT plugin for WordPress, representing a critical privilege escalation flaw that undermines the security model of WordPress installations. This vulnerability exists in all versions up to and including 2.1.2, making it a widespread concern for WordPress users who have installed this particular plugin. The core issue stems from insufficient user identity validation mechanisms within the plugin's password update functionality, which creates a fundamental security gap that can be exploited by attackers with minimal privileges.
The technical flaw manifests when authenticated attackers with subscriber-level access or higher attempt to modify user account details through the plugin's interface. Specifically, the plugin fails to properly authenticate and authorize users before allowing modifications to password and email address fields, creating a direct pathway for unauthorized account manipulation. This validation failure allows attackers to target any user account within the WordPress system, including high-privilege administrator accounts, by simply providing the target user ID or username. The vulnerability operates under CWE-285, which addresses improper authorization issues in software systems, and aligns with ATT&CK technique T1078.1.001 for valid accounts and T1078.1.002 for additional privileges, demonstrating how this flaw enables attackers to escalate their access level through legitimate account manipulation.
The operational impact of CVE-2025-3610 is severe and multifaceted, as it provides attackers with the ability to completely compromise user accounts and potentially gain administrative control over entire WordPress installations. When combined with CVE-2025-3609, which allows unauthenticated remote code execution, this vulnerability creates a complete attack chain where an attacker can first execute code without authentication and then leverage the privilege escalation to maintain persistent access. The vulnerability essentially allows attackers to perform account takeover operations that bypass normal WordPress security controls, potentially leading to data theft, website defacement, or further exploitation of the compromised system. This makes it particularly dangerous in environments where WordPress is used for critical business operations or contains sensitive user data.
Mitigation strategies for CVE-2025-3610 should prioritize immediate plugin updates to versions that address the validation flaw, though administrators should verify that the updated version properly implements proper authentication checks. Organizations should implement additional security measures including role-based access controls, regular security audits of installed plugins, and monitoring for unauthorized account modifications. Network segmentation and intrusion detection systems can help identify suspicious activities related to account changes, while multi-factor authentication should be enabled across all user accounts to add additional security layers. The vulnerability demonstrates the importance of proper input validation and authentication mechanisms in web applications, and serves as a reminder that even seemingly minor functionality flaws can create significant security risks. System administrators should also consider implementing automated patch management processes to ensure timely remediation of such vulnerabilities, particularly in environments where multiple WordPress installations exist across different servers or hosting environments.