A Cross‑Site Request Forgery flaw exists in the Rameez Iqbal Real Estate Manager WordPress plugin that allows an attacker to trigger authenticated actions on behalf of a logged‑in user. The vulnerability is a classic example of CWE‑352, where lack of a proper anti‑CSRF token permits the malicious site to send forged requests to the WordPress site. If exploited, an attacker can perform any operation the targeted user is authorized to execute, potentially creating, modifying, or deleting real‑estate listings and other data, leading to a full privilege escalation within the managed WordPress environment.

The Real Estate Manager plugin by Rameez Iqbal is impacted for all releases from the initial version through version 7.3. No later versions are known to be affected, and the exact release dates of the earliest vulnerable version are not specified.

The CVSS score of 8.8 indicates high severity, while the EPSS score of less than 1% suggests that, at this time, insider or opportunistic exploitation is unlikely. The vulnerability is not listed in the CISA KEV catalog. Attackers are likely to rely on a phishing or compromised site that convinces a logged‑in user to visit a malicious URL that submits a forged request to the WordPress site. No specific network or software prerequisites beyond a logged‑in user are required, making the attack fairly straightforward once the user is lured.