G5Theme Essential Real Estate vulnerabilities
11 known vulnerabilities affecting g5theme/essential_real_estate.
Total CVEs
11
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH2MEDIUM6UNKNOWN1
Vulnerabilities
Page 1 of 1
CVE-2025-66127MEDIUMCVSS 5.4≤ 5.2.92025-12-16
CVE-2025-66127 [MEDIUM] CWE-862 CVE-2025-66127: Missing Authorization vulnerability in g5theme Essential Real Estate essential-real-estate allows Ex
Missing Authorization vulnerability in g5theme Essential Real Estate essential-real-estate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Real Estate: from n/a through <= 5.2.9.
cvelistv5nvd
CVE-2025-68071MEDIUMCVSS 6.5≤ 5.2.92025-12-16
CVE-2025-68071 [MEDIUM] CWE-639 CVE-2025-68071: Authorization Bypass Through User-Controlled Key vulnerability in g5theme Essential Real Estate esse
Authorization Bypass Through User-Controlled Key vulnerability in g5theme Essential Real Estate essential-real-estate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Real Estate: from n/a through <= 5.2.9.
cvelistv5nvd
CVE-2025-48126CRITICALCVSS 9.8≤ 5.2.92025-06-09
CVE-2025-48126 [CRITICAL] CWE-98 CVE-2025-48126: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusio
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in g5theme Essential Real Estate essential-real-estate allows PHP Local File Inclusion.This issue affects Essential Real Estate: from n/a through <= 5.2.9.
cvelistv5nvd
CVE-2025-30849CRITICALCVSS 9.8≤ 5.2.02025-04-01
CVE-2025-30849 [CRITICAL] CWE-98 CVE-2025-30849: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusio
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in g5theme Essential Real Estate essential-real-estate allows PHP Local File Inclusion.This issue affects Essential Real Estate: from n/a through <= 5.2.0.
cvelistv5nvd
CVE-2025-24698UNKNOWN≤ 5.1.82025-01-24
CVE-2025-24698 CWE-352 CVE-2025-24698: Cross-Site Request Forgery (CSRF) vulnerability in g5theme Essential Real Estate essential-real-esta
Cross-Site Request Forgery (CSRF) vulnerability in g5theme Essential Real Estate essential-real-estate allows Cross Site Request Forgery.This issue affects Essential Real Estate: from n/a through <= 5.1.8.
cvelistv5nvd
CVE-2024-12329MEDIUMCVSS 4.3≤ 5.1.62024-12-12
CVE-2024-12329 [MEDIUM] CWE-200 CVE-2024-12329: The Essential Real Estate plugin for WordPress is vulnerable to unauthorized access of data due to a
The Essential Real Estate plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on several pages/post types in all versions up to, and including, 5.1.6. This makes it possible for authenticated attackers, with Contributor-level access and above, to access invoices and transaction logs
cvelistv5nvd
CVE-2024-4274MEDIUMCVSS 4.3≤ 4.4.42024-06-04
CVE-2024-4274 [MEDIUM] CWE-639 CVE-2024-4274: The Essential Real Estate plugin for WordPress is vulnerable to unauthorized loss of data due to ins
The Essential Real Estate plugin for WordPress is vulnerable to unauthorized loss of data due to insufficient validation on the remove_property_attachment_ajax() function in all versions up to, and including, 4.4.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary attachments.
cvelistv5nvd
CVE-2024-4273MEDIUMCVSS 5.4≤ 4.4.22024-06-04
CVE-2024-4273 [MEDIUM] CWE-79 CVE-2024-4273: The Essential Real Estate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the
The Essential Real Estate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ere_property_map' shortcode in all versions up to, and including, 4.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and
cvelistv5nvd
CVE-2023-6140HIGHCVSS 8.8≤ 4.3.52024-01-08
CVE-2023-6140 [HIGH] CWE-434 CVE-2023-6140: The Essential Real Estate WordPress plugin before 4.4.0 does not prevent users with limited privileg
The Essential Real Estate WordPress plugin before 4.4.0 does not prevent users with limited privileges on the site, like subscribers, from momentarily uploading malicious PHP files disguised as ZIP archives, which may lead to remote code execution.
nvd
CVE-2023-6827HIGHCVSS 8.8≤ 4.3.52023-12-15
CVE-2023-6827 [HIGH] CWE-434 Essential Real Estate <= 4.3.5 - Authenticated (Subscriber+) Arbitrary File Upload
Essential Real Estate <= 4.3.5 - Authenticated (Subscriber+) Arbitrary File Upload
The Essential Real Estate plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation on the 'ajaxUploadFonts' function in versions up to, and including, 4.3.5. This makes it possible for authenticated attackers with subscriber-level capabilities or above, to up
cvelistv5
CVE-2022-3933MEDIUMCVSS 5.4PoCfixed in 3.9.62022-12-12
CVE-2022-3933 [MEDIUM] CWE-79 CVE-2022-3933: The Essential Real Estate WordPress plugin before 3.9.6 does not sanitize and escapes some parameter
The Essential Real Estate WordPress plugin before 3.9.6 does not sanitize and escapes some parameters, which could allow users with a role as low as Admin to perform Cross-Site Scripting attacks.
nvd