A PHP Object Injection vulnerability in the RealHomes WordPress plugin permits authenticated subscribers to execute arbitrary code, threatening site integrity.

This is a PHP Object Injection flaw triggered by improper input validation of serialized data. The vulnerability is exploitable by authenticated users with the "Subscriber" role, who can inject malicious objects to trigger unintended behavior or code execution.

An attacker successfully exploiting this flaw can gain unauthorized access to the underlying server, modify database content, or exfiltrate sensitive site data. With a CVSS score of 8.8, this high-severity vulnerability poses a grave risk to the confidentiality, integrity, and availability of WordPress sites utilizing the RealHomes theme.

Immediate Action: Update the RealHomes plugin to the latest version provided by InspiryThemes.

Proactive Monitoring: Audit WordPress user accounts and monitor for suspicious behavior or unauthorized administrative actions performed by accounts with lower-level privileges.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to block common PHP object injection patterns and malicious payloads targeting WordPress plugins.

Public Exploit Available: false

Site administrators must apply the vendor-provided patch immediately to mitigate the risk of object injection. Given that the exploit requires an authenticated subscriber account, it is also recommended to review and audit all registered user accounts to ensure no unauthorized or malicious accounts currently exist within the system.