CVE- 2025-67968 (CVSS 9.9) is a critical flaw in the RealHomes CRM plugin, a core component of the Real Homes WordPress theme, used by over 30,000 active websites. The vulnerability arises from how the plugin handles file uploads, allowing any logged-in user to arbitrarily upload files via the upload_csv_file process, bypassing normal security checks and potentially enabling full site takeover.
The issue exists because there are missing permission checks and missing file validation, with the function move_uploaded_file used to place uploaded content on the server. Administrators are urged to apply the patch released in RealHomes CRM version 1.0.1, which adds a current_user_can permissions check to restrict the AJAX action, effectively blocking unauthorized uploads.
According to the security advisory, attackers could inject malicious code through the upload process, including PHP shells or other malware, underscoring the ease of exploitation given typical WordPress role defaults such as Subscriber.