CVE-2025-11191
Description
The RealPress WordPress plugin before 1.1.0 registers the REST routes without proper permission checks, allowing the creation of pages and sending of emails from the site.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The RealPress WordPress plugin before 1.1.0 lacks permission checks on REST routes, allowing unauthenticated users to create pages and send emails from the site.
The RealPress WordPress plugin, prior to version 1.1.0, registers REST API routes without proper permission checks. This means that any unauthenticated visitor to a WordPress site running the plugin can access these endpoints.
The vulnerability can be exploited by an attacker who sends crafted REST API requests to the vulnerable endpoints. No authentication or special privileges are required. According to the advisory, the lack of permission checks allows the creation of arbitrary pages on the site and the sending of emails [1].
The impact is that an attacker could create malicious pages, potentially for phishing or hosting malware, and abuse the email functionality to send spam or phishing emails, damaging the site's reputation and potentially leading to further compromise.
The issue has been fixed in RealPress version 1.1.0. Users of the plugin are strongly recommended to update to the latest version immediately. There is no mention of a workaround for older versions [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.