Description
Unauthenticated SQL Injection in Realtyna Organic IDX plugin <= 5.1.0 versions.
Published: 2026-06-15
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated SQL injection that occurs in the Realtyna Organic IDX plugin for WordPress version 5.1.0 and earlier. An attacker can supply crafted input that is directly embedded into SQL statements, allowing the execution of arbitrary database queries. This flaw enables attackers to read sensitive data from the WordPress database, modify or delete database entries, and potentially alter application behavior by inserting malicious records.

Affected Systems

Any WordPress site that has installed Realtyna Organic IDX plugin version 5.1.0 or earlier is affected. The plugin is distributed by Realtyna and is commonly used in real‑estate listing plugins on WordPress sites.

Risk and Exploitability

The CVSS score of 9.3 denotes a critical severity for an unauthenticated vulnerability. The EPSS score of less than 1% indicates that exploitation is currently unlikely, and the vulnerability is not in the CISA KEV catalog. However, because the attack requires only unauthenticated HTTP requests to the plugin’s endpoints, the threat remains significant if the vulnerability remains unpatched.

Generated by OpenCVE AI on June 18, 2026 at 03:21 UTC.

Remediation

Vendor Solution

Update the WordPress Realtyna Organic IDX plugin Plugin to the latest available version (at least 5.2.0).


OpenCVE Recommended Actions

  • Update the Realtyna Organic IDX plugin to version 5.2.0 or newer.
  • If an immediate update is not available, disable or remove the plugin from the site to eliminate the attack surface.
  • Configure a web application firewall or similar rule set to block suspicious SQL patterns targeting the plugin’s request endpoints.

Generated by OpenCVE AI on June 18, 2026 at 03:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Realtyna
Realtyna realtyna Organic Idx Plugin
Wordpress
Wordpress wordpress
Vendors & Products Realtyna
Realtyna realtyna Organic Idx Plugin
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated SQL Injection in Realtyna Organic IDX plugin <= 5.1.0 versions.
Title WordPress Realtyna Organic IDX plugin plugin <= 5.1.0 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}


Subscriptions

Realtyna Realtyna Organic Idx Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T12:26:45.649Z

Reserved: 2026-05-12T13:08:41.670Z

Link: CVE-2026-45439

cve-icon Vulnrichment

Updated: 2026-06-16T12:26:41.894Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:17:03.630

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-45439

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:07:01Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')