Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Unauthenticated remote SQLi gives low-complexity DB read (C:H); no evidence of write/integrity or availability impact, and I treat the database as the same authorization scope (S:N).
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated SQL Injection in Real Estate 7 <= 3.5.9 versions.
AnalysisAI
SQL injection in the Real Estate 7 WordPress theme (versions up to and including 3.5.9) lets unauthenticated remote attackers inject malicious SQL through an unsanitized parameter, exposing backend database contents. The CVSS 3.1 base score is 9.3 (S:C/C:H) driven by the scope change and high confidentiality impact, with no authentication or user interaction required. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target must be running the Real Estate 7 WordPress theme at version 3.5.9 or earlier on an internet-reachable site, with the vulnerable injectable endpoint accessible to anonymous requests. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are partially mixed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker scanning for WordPress sites running Real Estate 7 sends a crafted HTTP request to the vulnerable endpoint with SQL metacharacters in a parameter, requiring no login (PR:N) and no user interaction (UI:N). Because attack complexity is low (AC:L), the attacker can automate extraction of database contents such as user records, password hashes, and configuration data. … |
| Remediation | No vendor-released patch version was identified in the provided data; the affected range (<= 3.5.9) implies a later release should contain the fix, but that version is not confirmed here, so consult the Patchstack advisory (https://patchstack.com/database/wordpress/theme/realestate-7/vulnerability/wordpress-real-estate-7-theme-3-5-9-sql-injection-vulnerability?_s_id=cve) and the theme vendor for the exact patched build and upgrade to it as the primary fix. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all WordPress installations using Real Estate 7 theme versions ≤3.5.9; identify and document affected sites and data scope. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39674
GHSA-4vhp-x3jq-9qc4