CVE-2026-54827: WordPress Real Estate 7 theme <= 3.5.9 - SQL Injection vulnerability
Unauthenticated SQL Injection in Real Estate 7 <= 3.5.9 versions.
Metrics
- CVSS v3.1
- 9.3
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is an unauthenticated SQL injection vulnerability in the Real Estate 7 WordPress theme (versions 3.5.9 and earlier), developed by Contempo. An attacker can reach the vulnerable endpoint directly over the network without any credentials or user interaction. Successful exploitation gives the attacker read access to the underlying database and limited ability to disrupt service availability. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Patchstack, within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle the Real Estate 7 theme. Any image carrying an affected version of the theme is flagged automatically.
AvailableHarborGuard scores this finding at CVSS 9.3 (Critical) and applies per-environment compliance policy weighting to prioritize and route alerts to the appropriate team inbox within each customer organization. Environments with stricter data-classification policies will see this surfaced at the highest urgency tier.
AvailableNo upstream fix version has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Contempo ships a remediated release. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP or HTTPS.
- AuthenticationNot required
No account or session token of any kind is needed; the injection is reachable by any anonymous request.
- Victim interactionNot required
The attacker sends a crafted request directly to the server; no user action or social engineering is involved.
- Attack complexityDetail
Exploit conditions are straightforward and reliable, with no race conditions, memory-layout dependencies, or other environmental factors to overcome.
Blast Radius
- Reads arbitrary database contents, including WordPress user records, hashed passwords, session tokens, and any customer or listing data stored in the database.
- Database confidentiality is fully compromised across all tables the WordPress database user can access, which in typical deployments includes the entire WordPress schema.
- The A:L (low availability) impact token indicates the attacker can partially degrade service, such as causing slow queries or locking rows, without fully crashing the database.
How HarborGuard Handles This
Available on HarborGuard: this CVE is actively tracked with no fix version currently published. Every ingest cycle, HarborGuard re-checks the Patchstack advisory and upstream repository for a remediated release. In the meantime, customers can apply compensating controls surfaced through HarborGuard policy recommendations, including network-policy rules that restrict public access to WordPress query endpoints, web-application firewall rules targeting SQL injection patterns in URL parameters, and egress filtering to limit what the database process can reach if an attacker pivots. For customers who opt into auto-remediation, a patched-image rebuild, regression test run, and PR against affected workloads will be initiated automatically the moment an upstream fix version is published, with a median time from CVE patch publication to merged PR of around 90 minutes for Critical-severity issues in auto-remediation-enabled environments.
- contempoinc / Real Estate 7≤ 3.5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L