CVE-2025-66127

MEDIUM
2025-12-16 [email protected]
5.4
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 16, 2025 - 09:15 nvd
MEDIUM 5.4

Tags

WordPress PHP Authentication Bypass

Description

Missing Authorization vulnerability in g5theme Essential Real Estate essential-real-estate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Real Estate: from n/a through <= 5.2.9.

Analysis

Missing authorization in g5theme Essential Real Estate WordPress plugin version 5.2.9 and earlier allows authenticated users to access or modify restricted resources by exploiting inadequately configured access controls. An attacker with low-privilege WordPress account credentials can leverage the broken access control to view sensitive information and make unauthorized modifications without requiring administrative approval. No public exploit code is currently identified, though the vulnerability is documented in the Patchstack security database.

Technical Context

The Essential Real Estate plugin for WordPress implements role-based access control mechanisms that fail to properly validate user permissions before granting access to sensitive functionality. This is a classic broken access control vulnerability (CWE-862: Missing Authorization) where the plugin does not adequately enforce authorization checks on API endpoints, admin functions, or data retrieval operations. Authenticated users can bypass the intended permission hierarchy by directly requesting protected resources, bypassing security level checks that should restrict access based on user role. The vulnerability affects the g5theme Essential Real Estate plugin, which is distributed through the official WordPress plugin repository and commonly used for real estate listing management.

Affected Products

The Essential Real Estate plugin by g5theme for WordPress is affected in version 5.2.9 and all earlier versions. The plugin is distributed via the official WordPress plugin repository. Users running Essential Real Estate version 5.2.9 or lower should prioritize updating. Full details and version history are documented in the Patchstack vulnerability database at https://patchstack.com/database/Wordpress/Plugin/essential-real-estate/vulnerability/wordpress-essential-real-estate-plugin-5-2-2-broken-access-control-vulnerability?_s_id=cve.

Remediation

Immediately update the Essential Real Estate plugin to the patched version released after 5.2.9. Navigate to the WordPress dashboard, select Plugins, locate Essential Real Estate, and click Update if available. If a patched version is not yet available in the WordPress plugin repository, temporarily disable the plugin by deactivating it from the Plugins menu until an update is released. Additionally, review WordPress user roles and capabilities to enforce the principle of least privilege, ensuring only necessary administrators and editors have access to sensitive real estate data. The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/essential-real-estate/vulnerability/wordpress-essential-real-estate-plugin-5-2-2-broken-access-control-vulnerability?_s_id=cve provides detailed remediation guidance.

Priority Score

27
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +27
POC: 0

Share

CVE-2025-66127 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy