Essential Real Estate

Authorization Bypass Through User-Controlled Key vulnerability in g5theme Essential Real Estate essential-real-estate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Real Estate: from n/a through <= 5.3.2.

Published: 2025-12-16T08:13:03.975Z
Updated: 2026-04-28T16:14:28.324Z

Missing Authorization vulnerability in g5theme Essential Real Estate essential-real-estate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Real Estate: from n/a through <= 5.3.2.

Published: 2025-12-16T08:12:53.580Z
Updated: 2026-04-28T16:14:17.633Z

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in g5theme Essential Real Estate essential-real-estate allows PHP Local File Inclusion.This issue affects Essential Real Estate: from n/a through <= 5.2.9.

Published: 2025-06-09T15:54:03.530Z
Updated: 2026-04-28T16:12:52.081Z

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in g5theme Essential Real Estate essential-real-estate allows PHP Local File Inclusion.This issue affects Essential Real Estate: from n/a through <= 5.2.0.

Published: 2025-04-01T05:31:38.644Z
Updated: 2026-04-28T16:11:58.855Z

Cross-Site Request Forgery (CSRF) vulnerability in g5theme Essential Real Estate essential-real-estate allows Cross Site Request Forgery.This issue affects Essential Real Estate: from n/a through <= 5.1.8.

Published: 2025-01-24T17:25:00.924Z
Updated: 2026-04-28T16:11:32.102Z

The Essential Real Estate plugin for WordPress is vulnerable to unauthorized loss of data due to insufficient validation on the remove_property_attachment_ajax() function in all versions up to, and including, 4.4.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary attachments.

Published: 2024-06-04T05:32:15.727Z
Updated: 2026-04-08T17:02:57.489Z

The Essential Real Estate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ere_property_map' shortcode in all versions up to, and including, 4.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: 2024-06-04T05:32:16.657Z
Updated: 2026-04-08T17:21:08.437Z

The Essential Real Estate plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on several pages/post types in all versions up to, and including, 5.1.6. This makes it possible for authenticated attackers, with Contributor-level access and above, to access invoices and transaction logs

Published: 2024-12-12T06:46:35.297Z
Updated: 2026-04-08T17:34:22.508Z

The Essential Real Estate plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation on the 'ajaxUploadFonts' function in versions up to, and including, 4.3.5. This makes it possible for authenticated attackers with subscriber-level capabilities or above, to upload arbitrary files on the affected site's server which may make remote code execution possible. CVE-2023-6140 appears to be a duplicate of this issue.

Published: 2023-12-15T07:30:42.053Z
Updated: 2026-04-08T17:05:52.326Z