CVE-2025-68071

MEDIUM
2025-12-16 [email protected]
6.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 16, 2025 - 09:16 nvd
MEDIUM 6.5

Tags

WordPress PHP Authentication Bypass

Description

Authorization Bypass Through User-Controlled Key vulnerability in g5theme Essential Real Estate essential-real-estate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Real Estate: from n/a through <= 5.2.9.

Analysis

Authorization bypass in Essential Real Estate WordPress plugin versions through 5.2.9 allows authenticated users to access sensitive real estate data they should not have permission to view through user-controlled key manipulation. The vulnerability exploits incorrectly configured access control at the application level, enabling privilege escalation from a standard user account to view confidential information such as property details or pricing. No public exploit code has been identified, and the EPSS score of 0.04% indicates low exploitation probability despite the CVSS 6.5 severity rating.

Technical Context

This vulnerability stems from an Insecure Direct Object References (IDOR) weakness classified under CWE-639 (Authorization Through User-Controlled Key), where the application fails to properly validate that an authenticated user has permission to access resources identified by user-supplied identifiers. The Essential Real Estate plugin, deployed as a WordPress add-on (CPE context: WordPress plugin ecosystem), implements access control checks that rely on parameters directly controllable by the client rather than server-side session state or role-based authorization logic. When a user modifies query parameters or request identifiers, the application does not verify that the requester's privilege level authorizes access to that specific resource. This is a classic IDOR pattern where attackers enumerate or guess object identifiers and bypass authorization layers.

Affected Products

Essential Real Estate WordPress plugin from an unspecified starting version through version 5.2.9 is affected. The plugin is distributed through the WordPress plugin repository and used on real estate websites to manage property listings and agent information. The vulnerability impacts all deployments of this plugin running version 5.2.9 or earlier.

Remediation

Update the Essential Real Estate plugin to a version newer than 5.2.9 immediately upon availability. Consult the Patchstack vulnerability database and the official WordPress plugin page for Essential Real Estate to confirm the patched version number and installation instructions. As an interim control pending patch availability, restrict WordPress user role capabilities to limit non-admin users' access to property listing endpoints, review and strengthen user access control rules within plugin settings, and audit recent access logs for unauthorized property data queries by authenticated users. Detailed remediation guidance is available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/essential-real-estate/vulnerability/wordpress-essential-real-estate-plugin-5-2-2-insecure-direct-object-references-idor-vulnerability.

Priority Score

33
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +32
POC: 0

Share

CVE-2025-68071 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy