CVE-2025-32596

Vulnerability

The Real Estate Manager plugin for WordPress (versions up to and including 7.3) suffers from a code injection vulnerability [1]. Improper control of code generation allows an attacker to inject and execute arbitrary PHP code through the plugin’s template or shortcode handling. The vulnerable code path is reachable when the plugin processes user-supplied input without sufficient sanitization or validation [1].

Exploitation

An attacker needs authenticated access to the WordPress site with at least Author-level privileges [1]. The attacker leverages the plugin’s feature that permits template or shortcode content input; by crafting a malicious payload (e.g., a shortcode argument or a template field), the attacker injects PHP code that is subsequently evaluated [1]. No additional user interaction is required beyond the attacker’s own actions.

Impact

Successful exploitation results in arbitrary code execution within the context of the WordPress installation [1]. The attacker can achieve full compromise of the site: read, modify, or delete any data, install backdoors, or pivot to the underlying server. The impact is high due to the potential for complete loss of confidentiality, integrity, and availability.

Mitigation

As of the publication date (2025-04-17), no patched version has been released [1]. Users are advised to disable or remove the Real Estate Manager plugin until a fixed version is made available. No workaround has been officially provided. The plugin may be end-of-life; consult the vendor for updates.