CVE-2025-48150
Description
Missing Authorization vulnerability in sminozzi Real Estate Property 2024 Create Your Own Fields and Search Bar WP Plugin real-estate-right-now allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Real Estate Property 2024 Create Your Own Fields and Search Bar WP Plugin: from n/a through <= 4.48.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing authorization in Real Estate Property 2024 plugin (≤4.48) allows unauthenticated privilege escalation via broken access controls.
The vulnerability is a missing authorization check in the WordPress Real Estate Property 2024 Create Your Own Fields and Search Bar WP Plugin (real-estate-right-now). Versions up to and including 4.48 lack proper access control security level validation in certain functions, allowing unprivileged users to perform actions intended for higher-privileged roles [1].
Exploitation does not require authentication; an attacker can trigger the vulnerable functionality without a valid user session or nonce token check. The plugin fails to enforce proper capability checks, which is a classic broken access control issue [1].
A successful attack enables an unprivileged actor to execute privileged actions—such as modifying plugin settings or creating custom fields—without authorization, potentially leading to further site compromise [1].
The vendor has released version 4.49 which resolves the vulnerability. Users are strongly advised to update immediately or enable auto-updates via Patchstack. While the CVSS score is low (4.3), the vulnerability may be targeted in mass-exploit campaigns [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=4.48
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.