Critical File Upload Flaw reported RealHomes CRM Plugin
Take action: If you are using RealHomes CRM plugin, update it ASAP to version 1.0.1. Attackers can easily upload web shell and take over your website. When coding, always use proper permission checks and file type validation for file uploads.
Learn More
InspiryThemes fixed a major security hole in its RealHomes CRM plugin, which is bundled with a theme used by over 30,000 real estate websites. The flaw allows any logged-in user, even those with low privileges like subscribers, to upload files to the server, enabling attackers to take over entire websites by running malicious scripts.
The flaw is tracked as CVE-2025-67968 (CVSS score 9.9), an arbitrary file upload vulnerability in RealHomes CRM versions 1.0.0 and below that leads to remote code execution. Attackers can exploit the upload_csv_file function. The code uses a security token called a nonce, but any user with Subscriber role users on the wp-admin base page or front-end page can get the nonce value. On top of that, the plugin fails to check if the user actually had permission to upload files and did not check the type of file being sent, allowing dangerous files to bypass intended restrictions.
Attackers could exploit this flaw to upload other program code in directories which are accessed and executed by the web server like shells and then take control of the server.
Developers released RealHomes CRM version 1.0.1 which adds a current_user_can check to ensure only authorized staff can use the upload tool. It also uses the wp_check_filetype function to block harmful file extensions like .php, ensuring the server only accepts valid CSV data.
Site owners should update to the latest version of the RealHomes theme and its bundled CRM plugin immediately.
