CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

RealHomes CRM Plugin Vulnerability Patched

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A security flaw in the RealHomes CRM plugin, bundled with a WordPress theme, affected over 30,000 websites. The vulnerability allowed low-privileged users to upload malicious files and potentially take control of affected sites. The flaw, assigned CVE-2025-67968, was discovered and reported by Patchstack Alliance community member wackydawg. The developers released a patch in version 1.0.1, which includes access control checks and file validation. The vulnerability was located in an AJAX function responsible for handling CSV file uploads. The flaw allowed any logged-in user with Subscriber-level access or higher to upload arbitrary files, potentially leading to a full site takeover. The patch introduces a current_user_can capability check and file type validation using WordPress's wp_check_filetype function.

Timeline

  1. 22.01.2026 17:10 1 articles · 23h ago

    RealHomes CRM Plugin Vulnerability Patched

    A security flaw in the RealHomes CRM plugin, bundled with a WordPress theme, affected over 30,000 websites. The vulnerability allowed low-privileged users to upload malicious files and potentially take control of affected sites. The flaw, assigned CVE-2025-67968, was discovered and reported by Patchstack Alliance community member wackydawg. The developers released a patch in version 1.0.1, which includes access control checks and file validation.

    Show sources
    Open in new tab

Information Snippets