33,000 WordPress Sites Affected by Privilege Escalation Vulnerability in RealHomes WordPress Theme

🌞 Spring Into Summer Challenge: Critical Threats = Critical Rewards. 🌞
🔥 Now through August 4, 2025, earn 2X bounty rewards for all in-scope submissions from our ‘High Threat’ list in software with fewer than 5 million active installs. Submit bold. Earn big!🔥

On May 4th, 2025, we received a submission for a Privilege Escalation vulnerability in RealHomes, a WordPress theme with more than 33,000 sales. This vulnerability can be used by authenticated attackers, with subscriber-level access and above, to grant themselves administrative privileges by updating their user role. Please note that this vulnerability only critically affects users who have enabled the “Show user role option in profile” option in the settings, which is disabled by default.

Props to Thái An who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $585.00 for this discovery. Our mission is to secure WordPress through defense in depth, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure through the detection and prevention of vulnerabilities, which is a critical element to the multi-layered approach to security.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on May 12, 2025. Sites using the free version of Wordfence will receive the same protection 30 days later on June 11, 2025.

We contacted the InspiryThemes team on May 12, 2025, and received a response on May 15, 2025. After providing full disclosure details, the developer released the patch on May 26, 2025, and the second patch on June 5, 2025. We would like to commend the InspiryThemes team for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of RealHomes, version 4.4.1 at the time of this writing, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

RH – Real Estate WordPress Theme <= 4.4.0 – Authenticated (Subscriber+) Privilege Escalation

8.8

CVSS Rating
8.8 (High)

CVE-ID
CVE-2025-4601

Affected Versions
<= 4.4.0

Patched Version
4.4.1

Bounty
$585.00

Affected Software

RH – Real Estate WordPress Theme

Affected Software Slug

realhomes

Researcher

Thái An

The “RH – Real Estate WordPress Theme” theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 4.4.0. This is due to the theme not properly restricting user roles that can be updated as part of the inspiry_update_profile() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to set their role to that of an administrator. The vulnerability was partially patched in version 4.4.0, and fully patched in version 4.4.1.

More Details >

Technical Analysis

RealHomes is a popular real estate WordPress theme on the ThemeForest marketplace.

Examining the code reveals that the theme uses the inspiry_update_profile() function to update the user profile. If the “Show user role option in profile” option is enabled in the settings, which is disabled by default, then it is also possible to update the user role:

// Changing user role if allowed to
if ( get_option( 'ere_allow_users_change_role', false ) && ! empty( $_POST['realhomes_user_role'] ) ) {

	// Getting selected user role
	$selected_role = $_POST['realhomes_user_role'];

	// Get the user data
	$user_data = get_userdata( $current_user->ID );

	// Check if the user data is found
	if ( $user_data ) {
		// Update the user role
		$user_data->set_role( $selected_role );

The most significant problem and vulnerability is caused by the fact that there are no restrictions on the user role, so the user’s role can be updated arbitrarily, even to “administrator”.

As with any Privilege Escalation vulnerability, this can be used for complete site compromise. Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modify posts and pages which can be leveraged to redirect site users to other malicious sites or inject spam content.

We would like to draw attention once again to the fact that the vulnerability only critically affects users who have enabled the “Show user role option in profile” option in the settings, which is disabled by default.

Disclosure Timeline

May 10, 2025 – We received the submission for the Privilege Escalation vulnerability in RealHomes via the Wordfence Bug Bounty Program.
May 12, 2025 – We validated the report and confirmed the proof-of-concept exploit.
May 12, 2025 – Wordfence Premium, Care, and Response users received a firewall rule to provide protection against any exploits that may target this vulnerability.
May 12, 2025 – We initiated contact via the vendor contact form, asking that they confirm the inbox for handling the discussion.
May 15, 2025 – The vendor confirmed the inbox for handling the discussion.
May 15, 2025 – We sent over the full disclosure details to the vendor. The vendor acknowledged the report and began working on a fix.
May 26, 2025 – The partially patched version of the theme, 4.4.0, was released.
June 5, 2025 – The fully patched version of the theme, 4.4.1, was released.
June 11, 2025 – Wordfence Free users will receive the same protection.

Conclusion

In this blog post, we detailed a Privilege Escalation vulnerability within the RealHomes theme affecting versions 4.4.0 and earlier. This vulnerability allows authenticated threat actors with subscriber-level access or higher to gain elevated privileges. The vulnerability has been fully addressed in version 4.4.1 of the theme.

We encourage WordPress users to verify that their sites are updated to the latest patched version of RealHomes as soon as possible considering the critical nature of this vulnerability.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on May 12, 2025. Sites using the free version of Wordfence will receive the same protection 30 days later on June 11, 2025.

If you know someone who uses this theme on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

The post 33,000 WordPress Sites Affected by Privilege Escalation Vulnerability in RealHomes WordPress Theme appeared first on Wordfence.