RealPress – Real Estate Plugin <= 1.1.0 - Cross-Site Request Forgery

This plan outlines the research and exploitation strategy for CVE-2026-27050, a Cross-Site Request Forgery (CSRF) vulnerability in the RealPress – Real Estate Plugin for WordPress (versions <= 1.1.0).

---

1. Vulnerability Summary

The RealPress plugin fails to implement or correctly verify WordPress nonces on one or more state-changing administrative functions. This allows an unauthenticated attacker to craft a malicious request (e.g., via an auto-submitting HTML form) that, when executed by a logged-in administrator, performs unauthorized actions such as modifying plugin settings, deleting property listings, or changing site configuration.

2. Attack Vector Analysis

• Target Endpoint: wp-admin/admin-post.php or wp-admin/admin-ajax.php.
• Vulnerable Hook: Likely an admin_post_{action} or wp_ajax_{action} hook.
• Authentication Level: CSRF requires the victim to be a logged-in Administrator.
• Payload Delivery: An attacker-controlled external site hosting a malicious form or a hidden <iframe> targeting the vulnerable WordPress site.
• Preconditions: The victim must be authenticated to the target WordPress site and tricked into visiting the attacker's page.

3. Discovery & Code Flow

Since the exact function is not named in the CVE description, the first step is to identify the unprotected handlers.

A. Identify State-Changing Handlers:
Search for handlers that update options or process listings:

grep -rE "add_action\s*\(\s*['\"](admin_post_|wp_ajax_)" wp-content/plugins/realpress/

B. Audit for Nonce Checks:
Trace the functions identified in step A. Look for those that lack the following functions:

• check_admin_referer()
• check_ajax_referer()
• wp_verify_nonce()

Target Candidate (Inferred):
The plugin likely handles settings in a file like includes/admin/class-realpress-admin-settings.php or includes/class-realpress-ajax.php. We are looking for a pattern like:

public function save_settings() {
    if ( ! current_user_can( 'manage_options' ) ) {
        return;
    }
    // VULNERABILITY: Missing check_admin_referer() here
    $settings = $_POST['realpress_settings'];
    update_option( 'realpress_settings', $settings );
}

4. Nonce Acquisition Strategy (If Required)

The description mentions "missing or incorrect" validation.

• If missing: No nonce is required for the exploit.
• If incorrect: The plugin may generate a nonce but fail to check the return value of wp_verify_nonce() or use check_ajax_referer(..., ..., false) without checking the result.
• If a nonce is needed (Bypass check):
  1. Identify the page where settings are managed (e.g., wp-admin/admin.php?page=realpress-settings).
  2. Use browser_navigate to that page as an admin.
  3. Execute browser_eval("window.realpress_admin?.nonce") (inferred JS key) to extract it.
     Note: For CSRF, the goal is typically to exploit the total absence of a check, as the attacker cannot read the nonce from the victim's browser due to Same-Origin Policy (SOP).

5. Exploitation Strategy

We will simulate a CSRF attack by sending a POST request that lacks a valid nonce.

Step 1: Determine the exact action and parameters
Examine the form in the RealPress settings page:

# Grep for option names to find the data structure
grep -r "update_option" wp-content/plugins/realpress/

Step 2: Craft the Exploit Payload
Assuming the action is realpress_save_settings (inferred) and it updates a setting like site_layout.

Request Details:

• Method: POST
• URL: http://[target]/wp-admin/admin-post.php (or admin-ajax.php)
• Content-Type: application/x-www-form-urlencoded
• Body:

  action=realpress_save_settings&realpress_settings[some_critical_setting]=attacker_controlled_value
  

6. Test Data Setup

1. Install and activate RealPress <= 1.1.0.
2. Create a standard administrator user.
3. Configure basic plugin settings so there is existing data to modify.
4. Identify a specific setting to change (e.g., the contact email or a display setting) via the plugin UI.

7. Expected Results

• The http_request (sent with admin cookies but no nonce) should return a 302 Redirect or a 200 OK success message.
• The plugin settings in the database will be updated to the attacker_controlled_value.

8. Verification Steps

After sending the malicious request, verify the state change via WP-CLI:

# Check the option value directly
wp option get realpress_settings --format=json

If the value matches the one sent in the http_request body, the CSRF is confirmed.

9. Alternative Approaches

• XSS Injection via CSRF: If the settings page does not sanitize input, use the CSRF to inject a script into a setting field (e.g., realpress_footer_text). When the admin views the site, the script executes (Stored XSS).
• Property Deletion: If the plugin handles property deletion via GET/POST without nonces:
  • Payload: action=realpress_delete_property&property_id=123
  • Verification: wp post list --post_type=realpress_property (check if ID 123 is gone).
• AJAX Endpoint: If the vulnerability is in an AJAX handler, use the wp_ajax_ action name and target admin-ajax.php.