Critical Arbitrary File Upload Vulnerability in RealHomes CRM Plugin Affecting 30k+ Sites
A critical arbitrary file upload vulnerability (CVE-2025-67968) in the RealHomes CRM WordPress plugin allows any authenticated Subscriber+ user to upload arbitrary files, leading to full site takeover.
A critical arbitrary file upload vulnerability has been discovered in the RealHomes CRM plugin, which is bundled with the RealHomes WordPress theme. Tracked as CVE-2025-67968, the flaw affects versions 1.0.0 and below and allows any authenticated user with Subscriber-level access or higher to upload arbitrary files to the server. This can lead to remote code execution and full site takeover, putting over 30,000 active installations at risk.
The vulnerability resides in the `upload_csv_file` function of the RealHomes CRM plugin. The function is intended to handle CSV file uploads for importing property data, but it lacks proper permission checks and file type validation. The code uses a nonce check via `check_ajax_referer`, but the nonce value is accessible to any logged-in user, including Subscribers, from the WordPress admin or front-end pages. As a result, an attacker can craft a malicious file — such as a PHP web shell — and upload it through the CSV upload feature. The file is then moved to the server's upload directory without any verification of its contents or extension.
The impact of this vulnerability is severe. An attacker with only a Subscriber account — the lowest privileged role on a WordPress site — can upload arbitrary files, including executable PHP scripts. Once uploaded, these scripts can be accessed directly via the web server, allowing the attacker to execute arbitrary commands, steal sensitive data, install backdoors, or completely compromise the site. Given that the RealHomes theme is specifically designed for real estate websites, many of which handle sensitive client information and payment data, the potential for data breaches and financial loss is significant.
The vulnerability was discovered and responsibly disclosed by Patchstack Alliance community member wackydawg. The patch was released in version 1.0.1 of the RealHomes CRM plugin. The fix adds a proper capability check using `current_user_can()` to ensure that only users with the appropriate permissions (such as administrators or editors) can access the file upload functionality. Additionally, the patch implements file type and extension validation using the WordPress `wp_check_filetype` function, which verifies that only allowed file types (such as .csv) can be uploaded.
Patchstack has emphasized that this vulnerability highlights a common security pitfall in WordPress plugin development: relying on nonces for access control. As the WordPress developer documentation states, "Nonces should never be relied on for authentication, authorization, or access control." Nonces are designed to protect against Cross-Site Request Forgery (CSRF), not to verify user permissions. Developers must always use `current_user_can()` or similar capability checks to ensure that only authorized users can perform privileged actions. In this case, the nonce was exposed to all logged-in users, making it trivial for an attacker to obtain it and exploit the upload function.
Users of the RealHomes theme are strongly advised to update the RealHomes CRM plugin to version 1.0.1 or later immediately. Site administrators should also audit their user roles and remove any unnecessary Subscriber accounts that could be used as an initial foothold. For those unable to update immediately, a temporary workaround is to disable the CSV upload functionality or restrict access to the plugin's AJAX actions via a web application firewall or custom code.
This incident is part of a broader trend of critical file upload vulnerabilities in WordPress plugins. Similar flaws have been discovered and actively exploited in plugins such as Slider Revolution, Breeze Cache, and others. The recurring pattern — missing capability checks combined with insufficient file type validation — underscores the need for developers to follow secure coding practices and for site owners to maintain a rigorous patch management routine. With over 30,000 sites running the RealHomes theme, the window for exploitation is narrow but the potential damage is high.