Skip to main content

Realtyna Organic IDX EUVDEUVD-2026-36841

| CVE-2026-45439 CRITICAL
SQL Injection (CWE-89)
2026-06-15 Patchstack GHSA-3vpr-w47g-rp7p
9.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
9.3 CRITICAL

Unauthenticated network SQLi with no user interaction (AV:N/AC:L/PR:N/UI:N); scope change and C:H reflect cross-table data disclosure; I:N/A:L matches a read-only injection consistent with the reported vector.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:L/SC:L/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 21:54 vuln.today

DescriptionCVE.org

Unauthenticated SQL Injection in Realtyna Organic IDX plugin <= 5.1.0 versions.

AnalysisAI

Unauthenticated SQL injection in Realtyna Organic IDX WordPress plugin (versions 5.1.0 and earlier) allows remote attackers to inject arbitrary SQL into backend queries without credentials. The flaw carries a CVSS 3.1 score of 9.3 with a scope change, indicating impact beyond the plugin's own data boundary, though no public exploit identified at time of analysis. The vulnerability was disclosed via Patchstack and affects WordPress sites running this real-estate listing plugin.

Technical ContextAI

The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), the canonical SQL injection weakness. It affects Realtyna's Organic IDX plugin (CPE cpe:2.3:a:realtyna:realtyna_organic_idx_plugin), a WordPress extension used to integrate IDX/MLS real-estate listing feeds into WordPress sites. The plugin presumably accepts user-supplied parameters (search filters, listing IDs, or AJAX endpoints typical of IDX plugins) that flow into SQL queries without proper parameterization or sanitization, allowing attackers to manipulate the resulting query. Because WordPress plugins share the global $wpdb database connection, a successful injection can read from any WordPress table, including wp_users and wp_options.

RemediationAI

No vendor-released patch identified at time of analysis from the provided data - administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/real-estate-listing-realtyna-wpl/vulnerability/wordpress-realtyna-organic-idx-plugin-plugin-5-1-0-sql-injection-vulnerability) for the fixed version once published and upgrade beyond 5.1.0. Until a fix is verified, compensating controls include deactivating the Realtyna Organic IDX plugin entirely (trade-off: IDX listing functionality and SEO impact go offline), placing the site behind a WAF such as Patchstack mApp, Wordfence, or Cloudflare with SQLi rule sets enabled (trade-off: false positives on legitimate search queries with quotes or SQL keywords), or restricting access to the plugin's known endpoints via web-server rules until upgrade is possible. Audit wp_users and access logs for anomalous query strings containing UNION, SLEEP, or encoded SQL meta-characters targeting plugin endpoints.

Share

EUVD-2026-36841 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy