Skip to main content

Real Estate 7 CVE-2026-54827

| EUVDEUVD-2026-39674 CRITICAL
SQL Injection (CWE-89)
2026-06-26 audit@patchstack.com GHSA-4vhp-x3jq-9qc4
9.3
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
7.5 HIGH

Unauthenticated remote SQLi gives low-complexity DB read (C:H); no evidence of write/integrity or availability impact, and I treat the database as the same authorization scope (S:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:N/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 15:34 vuln.today

DescriptionCVE.org

Unauthenticated SQL Injection in Real Estate 7 <= 3.5.9 versions.

AnalysisAI

SQL injection in the Real Estate 7 WordPress theme (versions up to and including 3.5.9) lets unauthenticated remote attackers inject malicious SQL through an unsanitized parameter, exposing backend database contents. The CVSS 3.1 base score is 9.3 (S:C/C:H) driven by the scope change and high confidentiality impact, with no authentication or user interaction required. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify site running Real Estate 7 <= 3.5.9
Delivery
Send crafted HTTP request with SQL payload
Exploit
Bypass input sanitization in DB query
Execution
Extract database records via injection
Impact
Exfiltrate user data and credential hashes

Vulnerability AssessmentAI

Exploitation The target must be running the Real Estate 7 WordPress theme at version 3.5.9 or earlier on an internet-reachable site, with the vulnerable injectable endpoint accessible to anonymous requests. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are partially mixed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker scanning for WordPress sites running Real Estate 7 sends a crafted HTTP request to the vulnerable endpoint with SQL metacharacters in a parameter, requiring no login (PR:N) and no user interaction (UI:N). Because attack complexity is low (AC:L), the attacker can automate extraction of database contents such as user records, password hashes, and configuration data. …
Remediation No vendor-released patch version was identified in the provided data; the affected range (<= 3.5.9) implies a later release should contain the fix, but that version is not confirmed here, so consult the Patchstack advisory (https://patchstack.com/database/wordpress/theme/realestate-7/vulnerability/wordpress-real-estate-7-theme-3-5-9-sql-injection-vulnerability?_s_id=cve) and the theme vendor for the exact patched build and upgrade to it as the primary fix. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WordPress installations using Real Estate 7 theme versions ≤3.5.9; identify and document affected sites and data scope. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54827 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy