A hardcoded secret in the Prime Listing Manager WordPress plugin allows unauthenticated attackers to bypass authentication and gain full administrative control of the site.

The plugin uses a hardcoded secret for authentication or authorization checks. An unauthenticated attacker can use this secret to impersonate an administrator and perform unauthorized actions without needing a valid account.

With a CVSS score of 9.8, this vulnerability is critical. An attacker can completely take over a WordPress site, leading to the theft of user data, the injection of malicious scripts (SEO spam or malware), and the total loss of site integrity and reputation.

Immediate Action: Deactivate and delete the Prime Listing Manager plugin immediately until a patched version is confirmed and available.

Proactive Monitoring: Check for the creation of unauthorized administrative accounts and review WordPress access logs for unusual activity originating from the plugin's directory.

Compensating Controls: Use a Web Application Firewall (WAF) to block common exploit patterns targeting WordPress plugins and enforce strong file permissions on the server.

Public Exploit Available: false

The use of hardcoded secrets is a fundamental security failure. Administrators should remove the affected plugin immediately and perform a security audit of their WordPress site to ensure no backdoors were installed during the period of vulnerability.