G5Plus Essential Real Estate vulnerabilities

10 known vulnerabilities affecting g5plus/essential_real_estate.

Total CVEs
10
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH2MEDIUM5UNKNOWN1

Vulnerabilities

Page 1 of 1
CVE-2025-48126CRITICALCVSS 9.8≤ 5.2.22025-06-09
CVE-2025-48126 [CRITICAL] CWE-98 CVE-2025-48126: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusio Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in g5theme Essential Real Estate essential-real-estate allows PHP Local File Inclusion.This issue affects Essential Real Estate: from n/a through <= 5.2.9.
nvd
CVE-2025-30849CRITICALCVSS 9.8fixed in 5.2.12025-04-01
CVE-2025-30849 [CRITICAL] CWE-98 CVE-2025-30849: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusio Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in g5theme Essential Real Estate essential-real-estate allows PHP Local File Inclusion.This issue affects Essential Real Estate: from n/a through <= 5.2.0.
nvd
CVE-2025-24698UNKNOWNfixed in 5.1.92025-01-24
CVE-2025-24698 CWE-352 CVE-2025-24698: Cross-Site Request Forgery (CSRF) vulnerability in g5theme Essential Real Estate essential-real-esta Cross-Site Request Forgery (CSRF) vulnerability in g5theme Essential Real Estate essential-real-estate allows Cross Site Request Forgery.This issue affects Essential Real Estate: from n/a through <= 5.1.8.
nvd
CVE-2024-12329MEDIUMCVSS 4.3fixed in 5.1.72024-12-12
CVE-2024-12329 [MEDIUM] CWE-200 CVE-2024-12329: The Essential Real Estate plugin for WordPress is vulnerable to unauthorized access of data due to a The Essential Real Estate plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on several pages/post types in all versions up to, and including, 5.1.6. This makes it possible for authenticated attackers, with Contributor-level access and above, to access invoices and transaction logs
nvd
CVE-2024-4274MEDIUMCVSS 4.3fixed in 4.4.52024-06-04
CVE-2024-4274 [MEDIUM] CWE-639 CVE-2024-4274: The Essential Real Estate plugin for WordPress is vulnerable to unauthorized loss of data due to ins The Essential Real Estate plugin for WordPress is vulnerable to unauthorized loss of data due to insufficient validation on the remove_property_attachment_ajax() function in all versions up to, and including, 4.4.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary attachments.
nvd
CVE-2024-4273MEDIUMCVSS 5.4fixed in 4.4.32024-06-04
CVE-2024-4273 [MEDIUM] CWE-79 CVE-2024-4273: The Essential Real Estate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the The Essential Real Estate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ere_property_map' shortcode in all versions up to, and including, 4.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and
nvd
CVE-2023-6140HIGHCVSS 8.8fixed in 4.4.02024-01-08
CVE-2023-6140 [HIGH] CWE-434 CVE-2023-6140: The Essential Real Estate WordPress plugin before 4.4.0 does not prevent users with limited privileg The Essential Real Estate WordPress plugin before 4.4.0 does not prevent users with limited privileges on the site, like subscribers, from momentarily uploading malicious PHP files disguised as ZIP archives, which may lead to remote code execution.
nvd
CVE-2023-6139MEDIUMCVSS 6.5fixed in 4.4.02024-01-08
CVE-2023-6139 [MEDIUM] CWE-862 CVE-2023-6139: The Essential Real Estate WordPress plugin before 4.4.0 does not apply proper capability checks on i The Essential Real Estate WordPress plugin before 4.4.0 does not apply proper capability checks on its AJAX actions, which among other things, allow attackers with a subscriber account to conduct Denial of Service attacks.
nvd
CVE-2023-6141MEDIUMCVSS 5.4fixed in 4.4.02024-01-08
CVE-2023-6141 [MEDIUM] CWE-79 CVE-2023-6141: The Essential Real Estate WordPress plugin before 4.4.0 does not apply proper capability checks on i The Essential Real Estate WordPress plugin before 4.4.0 does not apply proper capability checks on its AJAX actions, which among other things, allow attackers with a subscriber account to conduct Stored XSS attacks.
nvd
CVE-2023-6827HIGHCVSS 8.8≤ 4.3.52023-12-15
CVE-2023-6827 [HIGH] CVE-2023-6827: The Essential Real Estate plugin for WordPress is vulnerable to arbitrary file uploads due to insuff The Essential Real Estate plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation on the 'ajaxUploadFonts' function in versions up to, and including, 4.3.5. This makes it possible for authenticated attackers with subscriber-level capabilities or above, to upload arbitrary files on the affected site's server which ma
nvd