CVE-2025-48126 – This vulnerability allows attackers to include ... (How to Fix)

Q: What is the severity of CVE-2025-48126?

CVE-2025-48126 has a CVSS score of 8.1 (HIGH). This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affects WordPress sites using the Essential Real Estate plugin, potentially leading to sensitive file disclosure or code execution. All sites running vulnerable versions of the plugin are affected.

📋 TL;DR

This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affects WordPress sites using the Essential Real Estate plugin, potentially leading to sensitive file disclosure or code execution. All sites running vulnerable versions of the plugin are affected.

💻 Affected Systems

Products:

Essential Real Estate WordPress Plugin

Versions: n/a through 5.2.1

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with vulnerable plugin version. PHP configuration with allow_url_include disabled does not prevent local file inclusion.

📦 What is this software?

Essential Real Estate by G5plus

View all CVEs affecting Essential Real Estate →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete server compromise, data theft, and website defacement.

🟠

Likely Case

Sensitive file disclosure (configuration files, database credentials) and limited code execution within web server context.

🟢

If Mitigated

Limited impact if file permissions are restrictive and web server runs with minimal privileges.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted requests to vulnerable endpoints. Public proof-of-concept demonstrates file inclusion.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.2.2 or later

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/essential-real-estate/vulnerability/wordpress-essential-real-estate-5-2-1-local-file-inclusion-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Essential Real Estate plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 5.2.2+ from WordPress repository and manually replace plugin files.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched.

wp plugin deactivate essential-real-estate

Web Application Firewall Rule

linux

Block requests containing path traversal sequences in parameters.

# Example mod_security rule: SecRule ARGS "\.\./" "id:1001,deny,status:403"

🧯 If You Can't Patch

Implement strict file permissions (webroot files read-only, configuration files outside webroot)
Deploy web application firewall with LFI detection rules

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Essential Real Estate for version number. If version is 5.2.1 or earlier, system is vulnerable.

Check Version:

wp plugin get essential-real-estate --field=version

Verify Fix Applied:

Confirm plugin version is 5.2.2 or later in WordPress admin panel. Test vulnerable endpoints with path traversal payloads should return errors, not file contents.

📡 Detection & Monitoring

Log Indicators:

HTTP requests with ../ sequences in parameters
PHP include/require warnings for unexpected files
Access to sensitive files like /etc/passwd in web logs

Network Indicators:

Unusual GET/POST requests with file path parameters
Responses containing system file contents

SIEM Query:

source="web_logs" AND (uri="*../*" OR params="*../*")

📊 Metadata

CVE ID: CVE-2025-48126

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-98

EPSS Score: 0.13% exploit probability (32.6th percentile)

Published: June 9, 2025

Last Updated: July 2, 2025

🔗 References

https://patchstack.com/database/wordpress/plugin/essential-real-estate/vulnerability/wordpress-essential-real-estate-5-2-1-local-file-inclusion-vulnerability?_s_id=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-48126, you might also want to check these: