Cyber Resilience

CVE-2025-1515

Critical

Published: 05 March 2025

Published
05 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0006 19.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1515 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Themeforest (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-13 (Identity Providers and Authorization Servers) and IA-8 (Identification and Authentication (Non-organizational Users)).

Deeper analysis

CVE-2025-1515 is an authentication bypass vulnerability in the WP Real Estate Manager plugin for WordPress, affecting all versions up to and including 2.8. The flaw arises from insufficient identity verification in the LinkedIn login request process, allowing attackers to circumvent standard authentication mechanisms.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity, no privileges, and no user interaction required. Successful exploitation enables logging in as any site user, including administrators, granting high levels of access to confidential data, system integrity, and availability, as reflected in its CVSS 3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The issue maps to CWE-288.

Advisories providing further details, including potential mitigation steps, are available from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/84f08111-d116-46f9-9765-28966e338753?source=cve and the plugin's ThemeForest listing at https://themeforest.net/item/home-villa-real-estate-wordpress-theme/19446059.

EU & UK References

Vulnerability details

The WP Real Estate Manager plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.8. This is due to insufficient identity verification on the LinkedIn login request process. This makes it possible for unauthenticated…

more

attackers to bypass official authentication and log in as any user on the site, including administrators.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The authentication bypass in a public-facing WordPress plugin directly enables remote exploitation of the web application for initial access as any user including administrators.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-10294Shared CWE-288
CVE-2026-3461Shared CWE-288
CVE-2025-67070Shared CWE-288
CVE-2026-42760Shared CWE-288
CVE-2026-44575Shared CWE-288
CVE-2026-1779Shared CWE-288
CVE-2025-0316Shared CWE-288
CVE-2026-45109Shared CWE-288
CVE-2025-5397Shared CWE-288
CVE-2026-31271Shared CWE-288

Affected Assets

Themeforest
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation mandates timely identification, testing, and deployment of patches for the vulnerable WP Real Estate Manager plugin, directly eliminating the authentication bypass vulnerability.

prevent

Employment of identity providers and authorization servers like LinkedIn with defined security requirements ensures sufficient identity verification, preventing bypasses in the plugin's login process.

prevent

Unique identification and authentication for non-organizational users directly counters authentication bypass vulnerabilities in public-facing mechanisms such as the plugin's LinkedIn login.

References