Realty Portal - Agent WordPress Plugin Privilege Escalation Vulnerability

A privilege escalation vulnerability has been identified in the Realty Portal - Agent plugin for WordPress, affecting versions 0.1.0 through 0.3.9. The vulnerability arises from missing authorization in the rp_user_profile() AJAX handler, which allows authenticated users with Subscriber-level access and above to manipulate user meta data. Specifically, attackers can overwrite the wp_capabilities meta key to grant themselves administrative privileges. This exploitation is possible because the handler directly processes client-supplied meta key and value pairs from the $_POST request without proper validation or restriction to a safe whitelist.

Impact

Exploitation of this vulnerability allows authenticated users to escalate their privileges to that of an administrator.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access can send a request to the rp_user_profile() AJAX handler. The request must include the meta key and value pairs that the user wishes to modify. Since the handler does not validate or restrict the meta keys, the user can overwrite the wp_capabilities meta key to gain administrative privileges.