CVE-2025-1515

Critical

Published: 05 March 2025

Published

05 March 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0006 18.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1515 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Themeforest (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-13 (Identity Providers and Authorization Servers) and IA-8 (Identification and Authentication (Non-organizational Users)).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Flaw remediation mandates timely identification, testing, and deployment of patches for the vulnerable WP Real Estate Manager plugin, directly eliminating the authentication bypass vulnerability.

IA-13 Identity Providers and Authorization Servers good match

prevent

Employment of identity providers and authorization servers like LinkedIn with defined security requirements ensures sufficient identity verification, preventing bypasses in the plugin's login process.

IA-8 Identification and Authentication (Non-organizational Users) good match

prevent

Unique identification and authentication for non-organizational users directly counters authentication bypass vulnerabilities in public-facing mechanisms such as the plugin's LinkedIn login.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The authentication bypass in a public-facing WordPress plugin directly enables remote exploitation of the web application for initial access as any user including administrators.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

The WP Real Estate Manager plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.8. This is due to insufficient identity verification on the LinkedIn login request process. This makes it possible for unauthenticated…

attackers to bypass official authentication and log in as any user on the site, including administrators.

Deeper analysisAI

CVE-2025-1515 is an authentication bypass vulnerability in the WP Real Estate Manager plugin for WordPress, affecting all versions up to and including 2.8. The flaw arises from insufficient identity verification in the LinkedIn login request process, allowing attackers to circumvent standard authentication mechanisms.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity, no privileges, and no user interaction required. Successful exploitation enables logging in as any site user, including administrators, granting high levels of access to confidential data, system integrity, and availability, as reflected in its CVSS 3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The issue maps to CWE-288.

Advisories providing further details, including potential mitigation steps, are available from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/84f08111-d116-46f9-9765-28966e338753?source=cve and the plugin's ThemeForest listing at https://themeforest.net/item/home-villa-real-estate-wordpress-theme/19446059.