CVE-2024-4274 – The Essential Real Estate WordPress plugin has ... (How to Fix)

Q: What is the severity of CVE-2024-4274?

CVE-2024-4274 has a CVSS score of 4.3 (MEDIUM). The Essential Real Estate WordPress plugin has an authorization vulnerability that allows authenticated users with subscriber-level access or higher to delete arbitrary file attachments. This affects all WordPress sites using the plugin up to version 4.4.2. Attackers can exploit this to remove important media files from the site.

📋 TL;DR

The Essential Real Estate WordPress plugin has an authorization vulnerability that allows authenticated users with subscriber-level access or higher to delete arbitrary file attachments. This affects all WordPress sites using the plugin up to version 4.4.2. Attackers can exploit this to remove important media files from the site.

💻 Affected Systems

Products:

Essential Real Estate WordPress Plugin

Versions: All versions up to and including 4.4.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the plugin active. Any authenticated user (subscriber role or higher) can exploit.

📦 What is this software?

Essential Real Estate by G5plus

View all CVEs affecting Essential Real Estate →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Critical site media assets are deleted, causing broken images, missing documents, and potential business disruption if important property listings lose their visual content.

🟠

Likely Case

Attackers delete random or targeted attachments, causing minor to moderate content disruption requiring restoration from backups.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to minor inconvenience with quick restoration possible.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is technically simple. Subscriber role is the lowest WordPress user level.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.4.3 or later

Vendor Advisory: https://plugins.trac.wordpress.org/browser/essential-real-estate/trunk/public/partials/property/class-ere-property.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Essential Real Estate plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 4.4.3+ from WordPress.org and manually update.

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Disable the vulnerable plugin until patched

wp plugin deactivate essential-real-estate

Restrict User Registration

all

Prevent new user accounts from being created

Settings → General → Membership: Uncheck 'Anyone can register'

🧯 If You Can't Patch

Implement strict user role management and review all subscriber-level accounts
Enable comprehensive file backup system and monitor for unexpected attachment deletions

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin under Plugins → Installed Plugins. If version is 4.4.2 or lower, you are vulnerable.

Check Version:

wp plugin get essential-real-estate --field=version

Verify Fix Applied:

Confirm plugin version is 4.4.3 or higher. Test attachment deletion functionality with subscriber account should fail.

📡 Detection & Monitoring

Log Indicators:

WordPress media deletion logs from non-admin users
AJAX requests to remove_property_attachment_ajax endpoint

Network Indicators:

POST requests to /wp-admin/admin-ajax.php with action=remove_property_attachment

SIEM Query:

source="wordpress" AND (uri_path="/wp-admin/admin-ajax.php" AND post_data LIKE "%remove_property_attachment%")

📊 Metadata

CVE ID: CVE-2024-4274

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Published: June 4, 2024

Last Updated: May 29, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON