CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23477 – WordPress Realty Workstation plugin <= 1.0.45 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2025-23477
16 Jan 2025 — Missing Authorization vulnerability in Realty Workstation Realty Workstation allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Realty Workstation: from n/a through 1.0.45. The Realty Workstation plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.0.45. This makes it possible for unauthenticated attackers to perform an unauthorized action. • https://patchstack.com/database/wordpress/plugin/realty-workstation/vulnerability/wordpress-realty-workstation-plugin-1-0-45-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-51786 – WordPress Realty by BestWebSoft plugin <= 1.1.5 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-51786
04 Nov 2024 — Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in BestWebSoft Realty by BestWebSoft allows Stored XSS.This issue affects Realty by BestWebSoft: from n/a through 1.1.5. The Realty by BestWebSoft plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, ... • https://patchstack.com/database/vulnerability/realty/wordpress-realty-by-bestwebsoft-plugin-1-1-5-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-50489 – WordPress Realty Workstation plugin <= 1.0.45 - Account Takeover vulnerability
https://notcve.org/view.php?id=CVE-2024-50489
25 Oct 2024 — Authentication Bypass Using an Alternate Path or Channel vulnerability in Realty Workstation allows Authentication Bypass.This issue affects Realty Workstation: from n/a through 1.0.45. The Realty Workstation plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.0.45. This is due to the plugin not properly verifying a users identify prior to allowing them to access an account. This makes it possible for unauthenticated attackers to log in as other users, such as... • https://patchstack.com/database/vulnerability/realty-workstation/wordpress-realty-workstation-plugin-1-0-45-account-takeover-vulnerability?_s_id=cve • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 9.8EPSS: 8%CPEs: 3EXPL: 6CVE-2012-1112 – Open Realty 2.5.x - 'select_users_template' Local File Inclusion
https://notcve.org/view.php?id=CVE-2012-1112
06 Sep 2012 — Directory traversal vulnerability in Open-Realty CMS 2.5.8 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the select_users_template parameter to index.php. Vulnerabilidad de directorio transversal en Open-Realty CMS v2.5.8 y anteriores permite a atacantes remotos incluir y ejecutar archivos locales a través de un .. (punto punto) en el parámetro select_users_template a index.php. • https://www.exploit-db.com/exploits/36910 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2011-3765
https://notcve.org/view.php?id=CVE-2011-3765
24 Sep 2011 — Open-Realty 2.5.8 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by install/versions/upgrade_115.inc.php and certain other files. Open-Realty v2.5.8 permite a atacantes remotos obtener información sensible a través de una petición directa a un archivo .php, lo que revela la ruta de instalación en un mensaje de error, como se demostró con install/versions/upgrade_115.inc.php y algunos otros ... • http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 70%CPEs: 6EXPL: 6CVE-2007-5056 – PacerCMS 0.6 - 'last_module' Remote Code Execution
https://notcve.org/view.php?id=CVE-2007-5056
24 Sep 2007 — Eval injection vulnerability in adodb-perf-module.inc.php in ADOdb Lite 1.42 and earlier, as used in products including CMS Made Simple, SAPID CMF, Journalness, PacerCMS, and Open-Realty, allows remote attackers to execute arbitrary code via PHP sequences in the last_module parameter. Una vulnerabilidad de inyección Eval en el archivo adodb-perf-module.inc.php en ADOdb Lite versiones 1.42 y anteriores, como es usado en productos como CMS Made Simple, SAPID CMF, Journalness, PacerCMS y Open-Realty, permite a... • https://www.exploit-db.com/exploits/5098 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2007-0490
https://notcve.org/view.php?id=CVE-2007-0490
25 Jan 2007 — index.php in Open-Realty 2.3.4 allows remote attackers to obtain sensitive information (the full path) via an invalid listingID parameter in a listingview action. index.php en el Open-Realty 2.3.4 permite a atacantes remotos la obtención de información sensible (la ruta completa) a través del parámetro no válido listingID en la acción listingview. • http://www.securityfocus.com/archive/1/457676/100/0/threaded •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2006-3148
https://notcve.org/view.php?id=CVE-2006-3148
22 Jun 2006 — SQL injection vulnerability, possibly in search.inc.php, in Open-Realty 2.3.1 allows remote attackers to execute arbitrary SQL commands via the sorttype parameter to index.php. Vulnerabilidad de inyección SQL en search.inc.php de Open-Realty v2.3.1, permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro sorttype en index.php. • http://pridels0.blogspot.com/2006/06/open-realty-sql-injection-vuln.html •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2006-3165
https://notcve.org/view.php?id=CVE-2006-3165
22 Jun 2006 — SQL injection vulnerability in propview.php in Free Realty 2.9-0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the sort parameter. Vulnerabilidad de inyección SQL en propview.php en Free Realty v2.9-0.7 y anteriores , permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro ordenar. • http://pridels0.blogspot.com/2006/06/free-realty-vuln.html •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2006-3166
https://notcve.org/view.php?id=CVE-2006-3166
22 Jun 2006 — Cross-site scripting (XSS) vulnerability in propview.php in Free Realty 2.9-0.6 and earlier allows remote attackers to execute arbitrary web script or HTML via the sort parameter. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en propview.php en Free Realty v2.9-0.6 y anteriores, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro ordenar. • http://pridels0.blogspot.com/2006/06/free-realty-vuln.html •