Critical Security Vulnerability in RealHomes CRM Plugin Rectified
A significant security vulnerability within the RealHomes CRM plugin, a component bundled with a WordPress theme utilised by over 30,000 websites, has been rectified.
Researchers identified that this flaw permitted users with limited privileges to upload harmful files, thereby gaining potential control over affected sites.
The vulnerability impacted RealHomes CRM versions 1.0.0 and earlier, facilitating any logged-in user with Subscriber-level access or above to upload arbitrary files via a CSV import feature.
Exploitation of this issue could enable malicious code to be installed on the server, ultimately culminating in a comprehensive site takeover.
Developed by InspiryThemes, the RealHomes CRM plugin accompanies the widely employed RealHomes WordPress theme, which is predominantly utilised for constructing real estate websites.
This theme boasts features such as advanced property search, diverse listing layouts, front-end submission and management capabilities, along with payment integration facilities through PayPal and Stripe, and compatibility with page builders, including Elementor.
Identified as CVE-2025-67968, this flaw was discovered and reported by a member of the Patchstack Alliance community, known as wackydawg. The vulnerability resided in an AJAX function responsible for managing CSV file uploads.
Though the function implemented a nonce for request verification, it was insufficient, as the nonce could be accessed by Subscriber users from both administrative and front-end pages.
For additional insights into WordPress plugin security, see: Critical WordPress Plugin Bugs Exploited En Masse
Inherent Risks of the Upload Mechanism
Further scrutiny revealed several fundamental security deficiencies within the upload process. Notably, there was an absence of checks to ascertain whether the user possessed adequate privileges for performing the action, alongside a lack of validation concerning file types or extensions prior to their writing to the server.
Key vulnerabilities identified included:
- Absence of permission checks to limit access to authorised users
- Acceptance of arbitrary file uploads rather than restricting to CSV-only files
- Direct invocation of the file upload function, devoid of additional validation
In response to this vulnerability, developers have launched RealHomes CRM version 1.0.1, which incorporates a current_user_can capability check to restrict the upload feature to authorised users only. The update also enhances file type and extension validation through WordPress’s wp_check_filetype function.
This disclosure underscores the critical lesson that nonces should not be utilised as a standalone measure for access control. As emphasised in WordPress documentation, “nonces should never be relied on for authentication, authorisation, or access control.”
Users of RealHomes CRM are strongly encouraged to update to the latest version to mitigate their risk exposure.
Source link: Infosecurity-magazine.com.
