{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-67968", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:00:23.853Z", "datePublished": "2026-01-22T16:51:58.994Z", "dateUpdated": "2026-04-28T19:30:14.671Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "realhomes-crm", "product": "Real Homes CRM", "vendor": "InspiryThemes", "versions": [{"changes": [{"at": "1.0.1", "status": "unaffected"}], "lessThanOrEqual": "1.0.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "wackydawg | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:02:34.029Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Unrestricted Upload of File with Dangerous Type vulnerability in InspiryThemes Real Homes CRM realhomes-crm allows Using Malicious Files.<p>This issue affects Real Homes CRM: from n/a through <= 1.0.0.</p>"}], "value": "Unrestricted Upload of File with Dangerous Type vulnerability in InspiryThemes Real Homes CRM realhomes-crm allows Using Malicious Files.This issue affects Real Homes CRM: from n/a through <= 1.0.0."}], "impacts": [{"capecId": "CAPEC-17", "descriptions": [{"lang": "en", "value": "Using Malicious Files"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "description": "Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:24.804Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/realhomes-crm/vulnerability/wordpress-real-homes-crm-plugin-1-0-0-arbitrary-file-upload-vulnerability?_s_id=cve"}], "title": "WordPress Real Homes CRM plugin <= 1.0.0 - Arbitrary File Upload vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-28T19:03:17.326614Z", "id": "CVE-2025-67968", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T19:30:14.671Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-67968", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-28T19:03:17.326614Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T19:03:10.676Z"}}], "cna": {"title": "WordPress Real Homes CRM plugin <= 1.0.0 - Arbitrary File Upload vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "wackydawg | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-17", "descriptions": [{"lang": "en", "value": "Using Malicious Files"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "InspiryThemes", "product": "Real Homes CRM", "versions": [{"status": "affected", "changes": [{"at": "1.0.1", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.0.0"}], "packageName": "realhomes-crm", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:02:34.029Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/realhomes-crm/vulnerability/wordpress-real-homes-crm-plugin-1-0-0-arbitrary-file-upload-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Unrestricted Upload of File with Dangerous Type vulnerability in InspiryThemes Real Homes CRM realhomes-crm allows Using Malicious Files.This issue affects Real Homes CRM: from n/a through <= 1.0.0.", "supportingMedia": [{"type": "text/html", "value": "Unrestricted Upload of File with Dangerous Type vulnerability in InspiryThemes Real Homes CRM realhomes-crm allows Using Malicious Files.<p>This issue affects Real Homes CRM: from n/a through <= 1.0.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:24.804Z"}}}, "cveMetadata": {"cveId": "CVE-2025-67968", "state": "PUBLISHED", "dateUpdated": "2026-04-28T19:30:14.671Z", "dateReserved": "2025-12-15T10:00:23.853Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-22T16:51:58.994Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Unrestricted Upload of File with Dangerous Type vulnerability in InspiryThemes Real Homes CRM realhomes-crm allows Using Malicious Files.This issue affects Real Homes CRM: from n/a through <= 1.0.0."}, {"lang": "es", "value": "Una vulnerabilidad de carga sin restricciones de archivo con tipo peligroso en InspiryThemes Real Homes CRM realhomes-crm permite el uso de archivos maliciosos. Este problema afecta a Real Homes CRM: desde n/a hasta &lt;= 1.0.0."}], "id": "CVE-2025-67968", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-22T17:16:06.357", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/realhomes-crm/vulnerability/wordpress-real-homes-crm-plugin-1-0-0-arbitrary-file-upload-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T09:57:06.069193+00:00", "value": {"mitigation_remediation": ["Upgrade the Real Homes CRM plugin to the latest version that removes the unrestricted upload flaw.", "If an immediate upgrade is not possible, disable the Real Homes CRM plugin until a patch is applied to prevent any file upload attempts.", "Configure the WordPress site to reject uploads of executable or dangerous file types at the web server or application layer, ensuring only trusted file types are accepted when the plugin is active."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The flaw affects the InspiryThemes Real Homes CRM WordPress plugin, all releases from the earliest iterations through version 1.0.0. Any WordPress installation that has this plugin installed and not upgraded beyond 1.0.0 is susceptible.", "description_and_impact": "The vulnerability is an unrestricted file upload flaw that allows an attacker to upload files of any type to the server. If a malicious executable or web shell is uploaded, the attacker can run arbitrary code with the privileges of the web application, potentially compromising the entire site and any connected services. The weakness is identified as CWE-434, which describes improper validation and handling of user-supplied file input.", "risk_and_exploitability": "Based on the description, it is inferred that the likely attack vector is an unauthenticated or authenticated user submitting a file through the plugin\u2019s upload form, bypassing any server\u2011side checks. The CVSS score of 9.9 classifies this as a critical vulnerability. The EPSS score of less than 1% indicates a very low likelihood of exploitation at the time of analysis, and it is not yet included in CISA\u2019s KEV catalog. Nevertheless, successful exploitation can grant the attacker full control over the web root, allowing data exfiltration, defacement, or the deployment of additional malware."}}}}, "created": "2026-01-23T16:30:23.577009+00:00", "updated": "2026-04-28T10:00:06.506432+00:00", "vendors": ["inspirythemes", "inspirythemes$PRODUCT$realhomes", "wordpress", "wordpress$PRODUCT$wordpress"]}