CVE-2026-54827
Deferred Deferred - Pending Action
Unauthenticated SQL Injection in Real Estate 7

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: Patchstack

Description
Unauthenticated SQL Injection in Real Estate 7 <= 3.5.9 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-54827
EUVD
EUVD-2026-39674
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
patchstack real_estate_7 to 3.5.9 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can have severe impacts including allowing attackers to steal sensitive information from the website's database.

Since the vulnerability is unauthenticated and has a high CVSS score of 9.3, it is a prime target for mass exploitation campaigns affecting thousands of websites.

Additionally, the vulnerability can lead to partial denial of service (availability impact) and compromise the confidentiality of data.

Mitigation Strategies

The vulnerability affects WordPress Real Estate 7 Theme versions 3.5.9 and below and allows unauthenticated SQL Injection attacks.

Immediate mitigation steps include upgrading the theme to version 3.6.0 or later, which contains the patch for this issue.

Until the upgrade can be performed, applying the mitigation rule issued by Patchstack to block attacks is recommended.

Users are also advised to seek assistance from their hosting provider or developer to ensure proper mitigation.

Executive Summary

CVE-2026-54827 is an unauthenticated SQL Injection vulnerability found in the WordPress Real Estate 7 Theme, versions 3.5.9 and below.

This flaw allows attackers to interact directly with the website's database without needing to log in or authenticate.

Because it requires no authentication, it is considered highly dangerous and is classified under the OWASP Top 10 category A3: Injection.

Compliance Impact

The vulnerability allows unauthenticated attackers to perform SQL Injection attacks, potentially leading to unauthorized access and theft of sensitive information stored in the website's database.

Such unauthorized data access and potential data breaches can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.

Failure to address this vulnerability could result in violations of these regulations due to compromised confidentiality and integrity of protected data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54827. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart