Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Unauthenticated network SQLi with no user interaction (AV:N/AC:L/PR:N/UI:N); scope change and C:H reflect cross-table data disclosure; I:N/A:L matches a read-only injection consistent with the reported vector.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated SQL Injection in Realtyna Organic IDX plugin <= 5.1.0 versions.
AnalysisAI
Unauthenticated SQL injection in Realtyna Organic IDX WordPress plugin (versions 5.1.0 and earlier) allows remote attackers to inject arbitrary SQL into backend queries without credentials. The flaw carries a CVSS 3.1 score of 9.3 with a scope change, indicating impact beyond the plugin's own data boundary, though no public exploit identified at time of analysis. The vulnerability was disclosed via Patchstack and affects WordPress sites running this real-estate listing plugin.
Technical ContextAI
The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), the canonical SQL injection weakness. It affects Realtyna's Organic IDX plugin (CPE cpe:2.3:a:realtyna:realtyna_organic_idx_plugin), a WordPress extension used to integrate IDX/MLS real-estate listing feeds into WordPress sites. The plugin presumably accepts user-supplied parameters (search filters, listing IDs, or AJAX endpoints typical of IDX plugins) that flow into SQL queries without proper parameterization or sanitization, allowing attackers to manipulate the resulting query. Because WordPress plugins share the global $wpdb database connection, a successful injection can read from any WordPress table, including wp_users and wp_options.
RemediationAI
No vendor-released patch identified at time of analysis from the provided data - administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/real-estate-listing-realtyna-wpl/vulnerability/wordpress-realtyna-organic-idx-plugin-plugin-5-1-0-sql-injection-vulnerability) for the fixed version once published and upgrade beyond 5.1.0. Until a fix is verified, compensating controls include deactivating the Realtyna Organic IDX plugin entirely (trade-off: IDX listing functionality and SEO impact go offline), placing the site behind a WAF such as Patchstack mApp, Wordfence, or Cloudflare with SQLi rule sets enabled (trade-off: false positives on legitimate search queries with quotes or SQL keywords), or restricting access to the plugin's known endpoints via web-server rules until upgrade is possible. Audit wp_users and access logs for anomalous query strings containing UNION, SLEEP, or encoded SQL meta-characters targeting plugin endpoints.
More in Realtyna Organic Idx Plugin
View allSame weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36841
GHSA-3vpr-w47g-rp7p