CVE-2025-6934 > unauthenticated privilege escalation in opal estate pro

Description

CVE-2025-6934 is a critical vulnerability in the Opal Estate Pro WordPress plugin (≤ v1.7.5).
This bug allows an unauthenticated attacker to create a new administrator account by sending a crafted request to:

/wp-admin/admin-ajax.php?action=opalestate\_register\_form

The root cause lies in the nonce parsing (opalestate-register-nonce) during the registration process, which is not properly validated.
This flaw allows attackers to bypass normal registration and directly create a new account with administrator privileges.

---

Impact

• Remote unauthenticated attackers can create arbitrary admin accounts.
• Full access to the WordPress dashboard, plugins, themes, file manager, and potentially remote code execution (via malicious plugin upload).
• Fast escalation from unauthenticated > full compromise.

---

Usage

Run the exploit tool with Python 3:

python3 exploit.py

You will be prompted for:

• username > New admin account username

• password > New admin account password

• email > Email address for the new account

• Target mode:

  • Single target > Enter one target URL
  • Mass target > Provide a file containing multiple target URLs

---

Output

If successful, results are saved into save.txt in the format:

URL: https://example.com
USERNAME: admin123
PASSWORD: passw0rd!
EMAIL: attacker@example.com
ROLE: administrator

---

Mitigation

• Update the Opal Estate Pro plugin to the latest patched version (> v1.7.5).
• Restrict anonymous access to /wp-admin/admin-ajax.php if possible.
• Audit WordPress user accounts after patching to detect unauthorized admin.