Unauthenticated SQL Injection is present in the WordPress Real Estate 7 Theme versions up to 3.5.9, allowing an attacker with access to the website to inject arbitrary SQL statements. This vulnerability is classified under CWE-89 and can lead to complete compromise of the affected application, including data exfiltration, unauthorized data modification, or full system takeover, effectively resulting in remote code execution on the underlying host. The impact is large, affecting both confidentiality and integrity of all data stored within the database and potentially enabling total control of the site.

The vulnerability affects the Real Estate 7 Theme developed by contempoinc, with all releases up to and including version 3.5.9 being impacted. No other WordPress themes or plugins are listed as affected. The scope is limited to installations that have not applied the update to a version 3.6.0 or newer.

The CVSS score of 9.3 indicates a critical severity level. The EPSS score is not available, but the vulnerability is unauthenticated, meaning every user who can load the affected page without authentication can attempt exploitation. The vulnerability is not listed in the CISA KEV catalog, yet its high CVSS and lack of authentication requirement suggest a high likelihood of exploitation in a targeted attack or via automated scanning. The attack vector is likely through publicly accessible website content that processes user-supplied data without proper sanitization. As the issue originates from insufficient input validation as defined by CWE-89, exploitation requires no special privileges on the victim host.