CVE-2025-4601
Medium PUBLISHEDRH - Real Estate WordPress Theme <= 4.4.0 - Authenticated (Subscriber+) Privilege Escalation
Not yet in CISA KEV
Recommended Action
Treat as actively exploited. Assess exposure, apply compensating controls where patching is delayed, and monitor for abuse.
At a Glance
The "RH - Real Estate WordPress Theme" theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 4.4.0. This is due to the theme not properly restricting user roles that can be updated as part of the inspiry_update_profile() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to set their role to that of an administrator. The vulnerability was partially patched in version 4.4.0, and fully patched in version 4.4.1.
- Published
- Jun 10, 2025
- First Seen
- Jun 17, 2026
- CVSS
- 8.8 High
- EPSS
- 4.2%
Recommended Actions
- Treat as actively exploited. Assess exposure, apply compensating controls where patching is delayed, and monitor for abuse.
- Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.
Known Exploited Vulnerability Sources
Catalogues that list this CVE as a known exploited vulnerability.
| Source | Added |
|---|---|
| Daily CyberSecurity First | 2026-06-17 19:20 UTC |
Detection Context
Request patterns and scanner artifacts observed for this CVE. Operational detection logic guidance is coming soon.
No detection artifacts or sensor request patterns are available for this CVE yet.
Check back as sensor telemetry and scanner integrations are updated.
CVSS Scores
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploitation Status
Exploited in the wild
Recorded 2026-06-17 19:20:25 UTC · Daily CyberSecurity
Weaknesses (CWE)
-
Improper Privilege Management
Recent Mentions
Daily CyberSecurity · Jun 17, 2026
A critical Gravity SMTP vulnerability is currently facing active exploitation in the wild. Consequently, WordPress site administrators must The post Active Gravity SMTP Vulnerability Exploited in the Wild appeared first on Daily CyberSecurity. Related posts: CVE-2025-4601: Flaw Exposes 33,000+ RealHomes WordPress Sites to Admin Takeover Urgent WordPress Alert: Motors Theme Flaw (CVE-2025-4322) Actively Exploited for Site Takeover SureForms WordPress Plugin Flaw (CVE-2025-6691): Unauthenticated Arbitrary File Deletion Leads to Site Takeover, 200K Sites at Risks
Timeline
-
Added to KEVIntel
-
CVE Published to Public
-
CVE ID Reserved
Automate This Intelligence with the Pro API
Confidence scoring, exploit status, sensor telemetry, PoCs, scanner integrations, mentions, and tags are available programmatically for VM, SOC, and CTI workflows.
Pro API Example
GET /api/v1/pro/kevs/CVE-2025-4601
{
"cve_id": "CVE-2025-4601",
"title": "RH - Real Estate WordPress Theme <= 4.4.0 - Authenticated (Subscriber+) Privi...",
"affected_vendor": "InspiryThemes",
"affected_product": "RH - Real Estate WordPress Theme",
"confidence": "Medium",
"cvss_score": 8.8,
"epss_score": 0.04167,
"exploit_status": {
"exploited_in_the_wild": true,
"active_exploitation_observed": false
},
"sensor_telemetry": { "...": "Pro API fields" },
"proof_of_concepts": [ "..." ],
"scanner_integrations": [ "..." ]
}