Cyber Posture

CVE-2025-1515

Critical

Published: 05 March 2025

Published
05 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0006 18.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2025-1515 is an authentication bypass vulnerability in the WP Real Estate Manager plugin for WordPress, affecting all versions up to and including 2.8. The flaw arises from insufficient identity verification in the LinkedIn login request process, allowing attackers to circumvent standard authentication mechanisms.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity, no privileges, and no user interaction required. Successful exploitation enables logging in as any site user, including administrators, granting high levels of access to confidential data, system integrity, and availability, as reflected in its CVSS 3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The issue maps to CWE-288.

Advisories providing further details, including potential mitigation steps, are available from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/84f08111-d116-46f9-9765-28966e338753?source=cve and the plugin's ThemeForest listing at https://themeforest.net/item/home-villa-real-estate-wordpress-theme/19446059.

Details

CWE(s)
CWE-288

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The authentication bypass in a public-facing WordPress plugin directly enables remote exploitation of the web application for initial access as any user including administrators.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References