Skip to main content

Real Estate 7 EUVDEUVD-2026-39756

| CVE-2026-57641 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-06-26 audit@patchstack.com GHSA-wr7m-w6xj-frxv
6.5
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
vuln.today AI
7.1 HIGH

PR:N reflects attacker requires no credentials; UI:R mandatory per CSRF nature; I:L added independently as CSRF enabling any unauthorized action implies at minimum low integrity impact, contrasting with NVD's I:N.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 16:11 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Request Forgery (CSRF) in Real Estate 7 <= 3.5.9 versions.

AnalysisAI

Cross-Site Request Forgery in the Real Estate 7 WordPress theme (versions <= 3.5.9) enables unauthenticated remote attackers to forge destructive HTTP requests on behalf of authenticated users, with the CVSS vector indicating high availability impact - consistent with forced deletion of property listings or site content rather than data exposure or modification. Exploitation requires luring an authenticated WordPress session holder to a malicious page, making it a social-engineering-dependent attack. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Register attacker-controlled domain
Delivery
Craft auto-submitting CSRF HTML form targeting vulnerable theme endpoint
Exploit
Deliver phishing link to authenticated WordPress admin
Install
Admin visits page in active session
C2
Browser submits forged request without nonce
Execute
Theme processes unauthenticated deletion/destructive action
Impact
Listing data or site content destroyed

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress user - most likely an administrator or editor with sufficient privileges to trigger the vulnerable action - to visit an attacker-controlled web page while holding an active authenticated session on the target site. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS base score of 6.5 with vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H reflects a moderate-severity flaw where the primary constraint is mandatory user interaction (UI:R) - an authenticated administrator or editor must be socially engineered into visiting an attacker-controlled page. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a domain and hosts a page containing a hidden HTML form targeting a vulnerable Real Estate 7 theme endpoint - such as a bulk-delete or reset action - with auto-submit JavaScript. The attacker then sends a phishing email to the WordPress site administrator; when the admin opens the email and visits the linked page while logged into their WordPress site, the browser silently submits the forged request, potentially wiping real estate listings or disrupting the site. …
Remediation Update the Real Estate 7 WordPress theme to a version beyond 3.5.9; the Patchstack advisory at https://patchstack.com/database/wordpress/theme/realestate-7/vulnerability/wordpress-real-estate-7-theme-3-5-9-cross-site-request-forgery-csrf-vulnerability should be consulted for the confirmed fixed release, as no specific patch version was identified in the available intelligence. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39756 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy