Skip to main content

Realtyna Organic IDX CVE-2026-57811

| EUVDEUVD-2026-43423 CRITICAL
Code Injection (CWE-94)
2026-07-13 Patchstack
10.0
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Unauthenticated remote code injection with low complexity (AV:N/AC:L/PR:N/UI:N) yields full C/I/A on the host; I assess S:U as code executes within the WordPress process rather than crossing a proven security boundary, absent detail justifying scope change.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 10:25 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
CRITICAL 10.0

DescriptionCVE.org

Improper Control of Generation of Code ('Code Injection') vulnerability in Realtyna Realtyna Organic IDX plugin real-estate-listing-realtyna-wpl allows Remote Code Inclusion.This issue affects Realtyna Organic IDX plugin: from n/a through <= 5.2.0.

AnalysisAI

Remote code injection in the Realtyna Organic IDX WordPress plugin (real-estate-listing-realtyna-wpl) affects all versions up to and including 5.2.0, allowing remote attackers to inject and execute arbitrary code (described as 'Remote Code Inclusion') against affected WordPress sites. Patchstack assigned a maximum CVSS 3.1 base score of 10.0 with an unauthenticated network vector and scope change, indicating full compromise of the host. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running Organic IDX plugin
Delivery
Send crafted request to vulnerable endpoint
Exploit
Inject code via Remote Code Inclusion
Execution
Execute arbitrary PHP as web user
Impact
Deploy web shell and pivot to host

Vulnerability AssessmentAI

Exploitation Exploitation requires a WordPress site with the Realtyna Organic IDX plugin (real-estate-listing-realtyna-wpl) installed and active at any version up to and including 5.2.0, reachable over the network. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are strongly weighted toward high priority: the CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H describes a remotely reachable, low-complexity, unauthenticated, no-interaction code-injection flaw with scope change and full C/I/A impact, yielding the maximum 10.0 score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a crafted HTTP request to a WordPress site running Realtyna Organic IDX <= 5.2.0, injecting attacker-controlled code (or a remotely included resource) into a vulnerable plugin code path. The injected code executes within the site's PHP process, giving the attacker a web shell and full control of the application, with potential pivot to the hosting environment consistent with the scope-changed rating. …
Remediation No vendor-released patch version is identified in the available data - the input specifies affected versions through <= 5.2.0 but does not name a fixed release, so administrators should consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/real-estate-listing-realtyna-wpl/vulnerability/wordpress-realtyna-organic-idx-plugin-plugin-5-2-0-remote-code-execution-rce-vulnerability) and the Realtyna vendor site for any release newer than 5.2.0 and upgrade immediately once available. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: immediately disable and remove the Realtyna Organic IDX WordPress plugin (real-estate-listing-realtyna-wpl) versions 5.2.0 and below from all production WordPress instances, then audit access logs and file integrity monitoring for evidence of unauthorized code execution. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57811 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy