RealHomes CRM arbitrary file upload (CVE-2025-67968)
VulnerabilityFirst reported
Last updated
Happening score
H score
0
Summary
Hide ▲
Show ▼
A CVE-2025-67968 flaw in RealHomes CRM let Subscriber-level users upload arbitrary files, putting sites using the plugin at risk of full takeover. The issue affected RealHomes CRM versions 1.0.0 and earlier and was tied to the plugin’s CSV import feature. Developers released RealHomes CRM 1.0.1 to add permission and file-type checks.
Timeline
-
22.01.2026 17:10 2 articles · 4mo ago
RealHomes CRM CVE-2025-67968 flaw and patch
Initial DisclosureRealHomes CRM versions 1.0.0 and earlier in the RealHomes WordPress theme had CVE-2025-67968, a flaw in the CSV import upload path that let logged-in Subscriber-level users upload arbitrary files and potentially place malicious code on affected sites; developers released RealHomes CRM 1.0.1 with current_user_can capability checks and wp_check_filetype validation to reduce the risk.
Show sources
- RealHomes CRM Plugin Flaw Affected 30,000 WordPress Sites — www.infosecurity-magazine.com — 22.01.2026 17:10
- RealHomes CRM Plugin Flaw Affected 30,000 WordPress Sites — www.infosecurity-magazine.com — 22.01.2026 17:10