Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
PR:N reflects attacker requires no credentials; UI:R mandatory per CSRF nature; I:L added independently as CSRF enabling any unauthorized action implies at minimum low integrity impact, contrasting with NVD's I:N.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Request Forgery (CSRF) in Real Estate 7 <= 3.5.9 versions.
AnalysisAI
Cross-Site Request Forgery in the Real Estate 7 WordPress theme (versions <= 3.5.9) enables unauthenticated remote attackers to forge destructive HTTP requests on behalf of authenticated users, with the CVSS vector indicating high availability impact - consistent with forced deletion of property listings or site content rather than data exposure or modification. Exploitation requires luring an authenticated WordPress session holder to a malicious page, making it a social-engineering-dependent attack. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress user - most likely an administrator or editor with sufficient privileges to trigger the vulnerable action - to visit an attacker-controlled web page while holding an active authenticated session on the target site. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS base score of 6.5 with vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H reflects a moderate-severity flaw where the primary constraint is mandatory user interaction (UI:R) - an authenticated administrator or editor must be socially engineered into visiting an attacker-controlled page. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a domain and hosts a page containing a hidden HTML form targeting a vulnerable Real Estate 7 theme endpoint - such as a bulk-delete or reset action - with auto-submit JavaScript. The attacker then sends a phishing email to the WordPress site administrator; when the admin opens the email and visits the linked page while logged into their WordPress site, the browser silently submits the forged request, potentially wiping real estate listings or disrupting the site. … |
| Remediation | Update the Real Estate 7 WordPress theme to a version beyond 3.5.9; the Patchstack advisory at https://patchstack.com/database/wordpress/theme/realestate-7/vulnerability/wordpress-real-estate-7-theme-3-5-9-cross-site-request-forgery-csrf-vulnerability should be consulted for the confirmed fixed release, as no specific patch version was identified in the available intelligence. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39756
GHSA-wr7m-w6xj-frxv