A security flaw in the RealHomes CRM plugin, bundled with a WordPress theme installed on more than 30,000 websites, has been patched after researchers found it could allow low-privileged users to upload malicious files and take control of affected sites.
The vulnerability affected RealHomes CRM versions 1.0.0 and earlier and allowed any logged-in user with Subscriber-level access or higher to upload arbitrary files through a CSV import feature. If exploited, the issue could be used to place malicious code on the server and ultimately lead to a full site takeover.
RealHomes CRM is included with the RealHomes WordPress theme, developed by InspiryThemes. The theme is widely used to build real estate websites . It offers tools such as advanced property search, multiple listing layouts, front-end submission and management, payment integration via PayPal and Stripe and support for page builders including Elementor.
The flaw has been assigned CVE-2025-67968 and was discovered and reported by Patchstack Alliance community member wackydawg. It was located in an AJAX function responsible for handling CSV file uploads.
Although the function used a nonce for request validation, that nonce could be retrieved by Subscriber users from both admin and front-end pages.
Read more on WordPress plugin security: Critical WordPress Plugin Bugs Exploited En Masse
Why the Upload Mechanism Was Risky
Further analysis showed that the upload process lacked several basic security controls. In particular, there was no check to confirm whether a user had sufficient privileges to perform the action, and no validation of file types or extensions before files were written to the server.
Key issues included:
-
Missing permission checks to restrict access to privileged users
-
Acceptance of arbitrary file uploads instead of CSV-only files
-
Direct use of the file upload function without additional validation
In response, the developers released RealHomes CRM version 1.0.1, which introduces a current_user_can capability check to ensure only authorised users can access the upload feature. The patch also adds file type and extension validation using WordPress’s wp_check_filetype function.
The disclosure serves as a reminder that nonces alone are not a substitute for proper access control. As WordPress documentation states, “nonces should never be relied on for authentication, authorization or access control.”
RealHomes CRM users are advised to update to the latest version to reduce their exposure.
