{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-1515", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-02-20T19:58:26.650Z", "datePublished": "2025-03-05T09:21:47.916Z", "dateUpdated": "2026-04-08T17:04:30.392Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:30.392Z"}, "affected": [{"vendor": "Chimpstudio", "product": "WP Real Estate Manager", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Real Estate Manager plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.8. This is due to insufficient identity verification on the LinkedIn login request process. This makes it possible for unauthenticated attackers to bypass official authentication and log in as any user on the site, including administrators."}], "title": "WP Real Estate Manager <= 2.8 - Authentication Bypass via Account Takeover", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/84f08111-d116-46f9-9765-28966e338753?source=cve"}, {"url": "https://themeforest.net/item/home-villa-real-estate-wordpress-theme/19446059"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel", "cweId": "CWE-288", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "Friderika Baranyai"}], "timeline": [{"time": "2025-03-04T21:14:10.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-05T14:21:01.854202Z", "id": "CVE-2025-1515", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-05T14:21:10.735Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-1515", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-02-20T19:58:26.650Z", "datePublished": "2025-03-05T09:21:47.916Z", "dateUpdated": "2025-03-05T14:21:10.735Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-03-05T09:21:47.916Z"}, "affected": [{"vendor": "Chimpstudio", "product": "WP Real Estate Manager", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "2.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Real Estate Manager plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.8. This is due to insufficient identity verification on the LinkedIn login request process. This makes it possible for unauthenticated attackers to bypass official authentication and log in as any user on the site, including administrators."}], "title": "WP Real Estate Manager <= 2.8 - Authentication Bypass via Account Takeover", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/84f08111-d116-46f9-9765-28966e338753?source=cve"}, {"url": "https://themeforest.net/item/home-villa-real-estate-wordpress-theme/19446059"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel", "cweId": "CWE-288", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "Friderika Baranyai"}], "timeline": [{"time": "2025-03-04T21:14:10.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1515", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-03-05T14:21:01.854202Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-05T14:21:06.245Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Real Estate Manager plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.8. This is due to insufficient identity verification on the LinkedIn login request process. This makes it possible for unauthenticated attackers to bypass official authentication and log in as any user on the site, including administrators."}, {"lang": "es", "value": "El complemento WP Real Estate Manager para WordPress es vulnerable a la omisi\u00f3n de autenticaci\u00f3n en todas las versiones hasta la 2.8 incluida. Esto se debe a una verificaci\u00f3n de identidad insuficiente en el proceso de solicitud de inicio de sesi\u00f3n de LinkedIn. Esto hace posible que atacantes no autenticados eludan la autenticaci\u00f3n oficial e inicien sesi\u00f3n como cualquier usuario del sitio, incluidos los administradores."}], "id": "CVE-2025-1515", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-03-05T10:15:19.850", "references": [{"source": "security@wordfence.com", "url": "https://themeforest.net/item/home-villa-real-estate-wordpress-theme/19446059"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/84f08111-d116-46f9-9765-28966e338753?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-288"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T22:05:32.252829+00:00", "value": {"mitigation_remediation": ["Upgrade WP Real Estate Manager to the latest version that addresses the authentication bypass.", "Disable or restrict the LinkedIn login integration if it is not required, to eliminate the exploitation path.", "Review administrator accounts and enforce additional authentication controls, such as two\u2011factor authentication, to prevent unauthorized access."], "summary": {"action": "Immediate Patch", "impact": "Authentication Bypass / Account Takeover"}, "threat_synthesis": {"affected_systems": "All versions of the Chimpstudio WP Real Estate Manager plugin up to and including 2.8 are affected. The vulnerability applies to any WordPress installation that has the plugin installed and the LinkedIn login feature enabled.", "description_and_impact": "The WP Real Estate Manager plugin suffers an authentication bypass due to insufficient identity verification on the LinkedIn login request process. This flaw enables attackers who are not authenticated to act as any user on the site, including administrators. Consequently, an attacker could gain full control over the WordPress site, modify listings, change settings, or extract sensitive data.", "risk_and_exploitability": "The flaw carries a CVSS score of 9.8, indicating critical severity. The EPSS score is below 1%, suggesting that, while high impact, the likelihood of exploitation is currently low to moderate. The vulnerability is not listed in the CISA KEV catalog. An attacker would need to exploit the LinkedIn authentication flow, which is possible when the plugin's LinkedIn integration is active; the flaw does not require additional access permissions."}}}}, "created": "2026-04-21T22:15:45.899346+00:00", "updated": "2026-04-21T22:15:45.899356+00:00", "vendors": []}