Improper Restriction of Excessive Authentication Attempts in the Rameez Iqbal Real Estate Manager plugin allows an attacker to try an unlimited number of passwords for a given account. Because the plugin does not enforce any lockout or rate‑limiting policy, a brute‑force attack can be conducted remotely through the login interface, potentially compromising user accounts and granting an attacker full control over the WordPress site. This weakness is identified as CWE‑307, which focuses on weak password policies or insufficient authentication controls.

All installations of the WordPress Real Estate Manager plugin version 7.3 and earlier, including any earlier releases that share the same code base, are vulnerable. The vendor, Rameez Iqbal, produced the plugin in question. Even versions with no explicit version number are included because the issue affects the entire range up to and including 7.3.

The CVSS score of 5.3 indicates a moderate risk, while the EPSS score of less than 1% suggests a very low current exploitation probability. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. Attackers can exploit this flaw by sending repeated login requests from any remote location that can reach the site's authentication endpoint, provided that network access to the administration area is available. The absence of a lockout feature means the attacker can continue attempts until the password is guessed.