CVE-2025-48150

2025-07-16 [email protected]
WordPress PHP Authentication Bypass

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 11:15 nvd
N/A

DescriptionNVD

Missing Authorization vulnerability in sminozzi Real Estate Property 2024 Create Your Own Fields and Search Bar WP Plugin real-estate-right-now allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Real Estate Property 2024 Create Your Own Fields and Search Bar WP Plugin: from n/a through <= 4.48.

AnalysisAI

Missing authorization controls in the Real Estate Property 2024 Create Your Own Fields and Search Bar WordPress plugin (versions up to 4.48) permit unauthenticated or low-privileged users to access functionality and data intended for higher privilege levels. The vulnerability stems from inadequately configured access control checks on plugin endpoints, allowing attackers to bypass intended security boundaries. With an EPSS score of 0.05% (17th percentile), real-world exploitation risk is minimal, and no public exploit code or active exploitation has been identified.

Technical ContextAI

This vulnerability is classified as CWE-862 (Missing Authorization), a fundamental access control flaw in which the application fails to verify that the user performing an action has permission to do so. The affected component is a WordPress plugin that extends WordPress functionality with custom real estate property fields and search features. WordPress plugins execute server-side code with access to the WordPress database and core APIs; missing authorization checks allow bypass of WordPress role-based access control (RBAC) at the plugin level. The plugin processes user-supplied requests to create, modify, or search custom fields without properly validating the requestor's capability, potentially exposing sensitive property data or allowing unauthorized field modifications.

Affected ProductsAI

The Real Estate Property 2024 Create Your Own Fields and Search Bar WordPress plugin (CPE: wp:real-estate-right-now) is affected in versions up to and including 4.48. No minimum version is specified in the advisory, indicating the vulnerability may affect all releases. The plugin is distributed via the WordPress.org plugin directory and commonly installed on WordPress sites offering real estate listings and property search functionality.

RemediationAI

Update the Real Estate Property 2024 Create Your Own Fields and Search Bar plugin to a version newer than 4.48 immediately upon availability. Check the WordPress.org plugin repository or the official vendor announcement via Patchstack (https://patchstack.com/database/Wordpress/Plugin/real-estate-right-now/vulnerability/wordpress-real-estate-property-2024-create-your-own-fields-and-search-bar-wp-plugin-plugin-4-48-broken-access-control-vulnerability) for the patched release. If a patched version is not yet available, temporarily disable the plugin or restrict access to its features via WordPress user role management and server-level access controls until the vendor releases a fix. Audit the plugin's activity logs and database for unauthorized modifications or data access during the vulnerability window.

Share

CVE-2025-48150 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy