The vulnerability is a Cross‑Site Request Forgery flaw in the SimplyRETS Real Estate IDX plugin that allows an attacker to execute a range of administrative actions without the victim’s knowledge. The flaw can be exploited by tricking an authenticated administrator into visiting a malicious webpage that submits unintended requests to the plugin. The weakness is classified as CWE‑352, highlighting the absence of proper anti‑CSRF controls during form submission or processing. The attack vector is not explicitly stated in the description; it is inferred that an attacker would need to lure an admin to a malicious site that triggers forged requests. Also, the requirement for user interaction and authenticated admin access is inferred from the description of the vulnerability, as it is essential for CSRF exploitation.

The affected product is the ReichertBrothers SimplyRETS Real Estate IDX WordPress plugin, specifically all versions up to and including 3.0.5. Users running these plugin versions should identify their installation and verify whether it is still in use.

The CVSS score of 4.3 classifies the vulnerability as moderate, reflecting that it requires user interaction and administrator credentials to be useful. The EPSS score of less than 1% indicates that exploitation is unlikely in the general population, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation would typically occur when an authenticated admin visits a crafted malicious site, which can then inject form submissions or AJAX requests triggering privileged actions within the plugin. Because the attack depends on social engineering or malicious HTML, defenders should monitor for anomalous requests targeting admin endpoints and reduce the attack surface by ensuring CSRF protections are in place. The requirement for user interaction and the need for administrator credentials are not directly described but are inferred based on the nature of CSRF flaws and the described impact.