The Essential Real Estate plugin for WordPress contains a Cross‑Site Request Forgery flaw (CWE‑352) that permits an attacker to compel a victim’s browser to send authenticated requests to the site, enabling state‑changing actions such as modifying listings, altering settings, or otherwise tampering with data while the victim is logged in. This vulnerability does not allow direct code execution or data exfiltration; its impact lies in compromising data integrity and user trust through unauthorized actions performed on behalf of the user.

All WordPress sites running the g5theme Essential Real Estate plugin version 5.1.8 or earlier are affected. The issue applies across all installations of the plugin that have not been updated beyond that version.

The flaw carries a CVSS score of 4.3, placing it in the medium severity range. An EPSS score of less than 1% indicates a low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is most likely a malicious web page that lures a logged‑in user to visit the site and trigger the vulnerable endpoint, exploiting the absence of a proper CSRF token or nonce. No additional technical prerequisites beyond user interaction are required, so the overall risk is governed mainly by the low exploitation probability.