Description
Authorization Bypass Through User-Controlled Key vulnerability in g5theme Essential Real Estate essential-real-estate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Real Estate: from n/a through <= 5.3.2.
Published: 2025-12-16
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Patch
AI Analysis

Impact

The identified issue involves an Authorization Bypass through User‑Controlled Key in the g5theme Essential Real Estate WordPress plugin. An attacker can supply a crafted key to plugin endpoints, causing the system to skip normal access checks and permitting the attacker to read or modify protected listing data. This can compromise the confidentiality and integrity of real‑estate listings, and is inferred to be exploitable via crafted HTTP requests that include a request‑parameter key or identifier.

Affected Systems

The vulnerable product is the g5theme Essential Real Estate WordPress plugin. All released versions from the first iteration through version 5.3.2 are affected. No later releases are documented as vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. The EPSS score of <1% shows a very low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Exploitation would require an attacker to guess or obtain a valid key to bypass normal authorization, allowing unauthorized read/write operations on listing data, which could be significant for sites that rely on the plugin for confidential listings.

Generated by OpenCVE AI on April 29, 2026 at 02:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest version of the Essential Real Estate plugin (≥5.3.3), which removes the IDOR flaw.
  • Configure WordPress role‑based access controls to restrict the plugin’s administrative pages to users with administrator privileges.
  • Inspect custom code or plugin hooks that pass user‑controlled identifiers to ensure they perform proper authorization checks before accessing listing data.

Generated by OpenCVE AI on April 29, 2026 at 02:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Authorization Bypass Through User-Controlled Key vulnerability in g5theme Essential Real Estate essential-real-estate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Real Estate: from n/a through <= 5.2.9. Authorization Bypass Through User-Controlled Key vulnerability in g5theme Essential Real Estate essential-real-estate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Real Estate: from n/a through <= 5.3.2.
Title WordPress Essential Real Estate plugin <= 5.2.9 - Insecure Direct Object References (IDOR) vulnerability WordPress Essential Real Estate plugin <= 5.3.2 - Insecure Direct Object References (IDOR) vulnerability

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Authorization Bypass Through User-Controlled Key vulnerability in g5theme Essential Real Estate essential-real-estate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Real Estate: from n/a through <= 5.2.2. Authorization Bypass Through User-Controlled Key vulnerability in g5theme Essential Real Estate essential-real-estate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Real Estate: from n/a through <= 5.2.9.
Title WordPress Essential Real Estate plugin <= 5.2.2 - Insecure Direct Object References (IDOR) vulnerability WordPress Essential Real Estate plugin <= 5.2.9 - Insecure Direct Object References (IDOR) vulnerability

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Tue, 16 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
First Time appeared G5theme
G5theme essential Real Estate
Wordpress
Wordpress wordpress
Vendors & Products G5theme
G5theme essential Real Estate
Wordpress
Wordpress wordpress

Tue, 16 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Dec 2025 08:30:00 +0000

Type Values Removed Values Added
Description Authorization Bypass Through User-Controlled Key vulnerability in g5theme Essential Real Estate essential-real-estate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Real Estate: from n/a through <= 5.2.2.
Title WordPress Essential Real Estate plugin <= 5.2.2 - Insecure Direct Object References (IDOR) vulnerability
Weaknesses CWE-639
References

Subscriptions

G5theme Essential Real Estate
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:28.324Z

Reserved: 2025-12-15T10:01:24.071Z

Link: CVE-2025-68071

cve-icon Vulnrichment

Updated: 2025-12-16T15:26:40.924Z

cve-icon NVD

Status : Deferred

Published: 2025-12-16T09:16:02.410

Modified: 2026-04-24T20:16:24.080

Link: CVE-2025-68071

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T02:45:35Z

Weaknesses