CVE-2025-67968 (CVSS 9.9): Critical Flaw in Real Estate Theme Exposes 30,000 Sites to Takeover

A critical security vulnerability has been uncovered in the RealHomes CRM plugin, a core component of the popular Real Homes WordPress theme. Used by over 30,000 active websites, this theme is a staple for real estate professionals looking to showcase properties. However, a severe flaw tracked as CVE-2025-67968 has turned these digital open houses into potential targets for total site takeover.

The vulnerability, which carries a nearly maximum CVSS severity score of 9.9, allows attackers to bypass security checks and upload malicious code directly to the server.

The issue lies in how the plugin handles file uploads. Typically, uploading files—especially code—is a privilege reserved for administrators. However, in vulnerable versions of RealHomes CRM, this boundary is virtually non-existent.

According to the security advisory, the flaw allows “any logged-in user to arbitrarily upload files via the upload CSV file process”.

This is particularly dangerous because it doesn’t require high-level access. “This means any Subscriber or higher user is able to inject malicious code through the upload process, which can lead to a full site takeover”. In many WordPress setups, a “Subscriber” is the default role given to any user who registers, meaning the barrier to entry for an attacker is incredibly low.

The technical root of the problem is a failure to validate what is being uploaded and who is uploading it. The vulnerability exists within the upload_csv_file function.

The report highlights two critical failures in the code:

• Missing Permission Checks: “There is no proper permission check on the function, which allows users to just supply arbitrary files via $_FILES[‘csv_file’]”.
• Missing File Validation: “Lastly, the function didn’t have a proper file type and name check, and will directly upload the file via move_uploaded_file to the server”.

This combination effectively rolls out the red carpet for attackers to upload PHP shells or other malware, granting them full control over the website.

The developers behind Inspiry Themes have moved quickly to address this “arbitrary file upload” vulnerability.

The issue affects RealHomes CRM versions 1.0.0 and below. A patch has been released in version 1.0.1, which introduces critical safeguards. The update adds “a current_user_can permissions check, ensuring that only legitimate, privileged users are allowed to use this AJAX action,” effectively locking the door against unauthorized uploads.

Administrators using the Real Homes theme are urged to update their bundled plugins immediately to prevent their digital properties from being compromised.

Related Posts:

• CVE-2025-4601: Flaw Exposes 33,000+ RealHomes WordPress Sites to Admin Takeover