CVE-2024-4274 is an authorization bypass vulnerability (CWE-639) in the Essential Real Estate WordPress plugin by g5theme. The issue arises from insufficient validation in the remove_property_attachment_ajax() function, enabling authenticated users with subscriber or higher privileges to delete arbitrary attachments. This vulnerability affects all versions up to and including 4.4.2. The CVSS 3.1 base score is 4.3, reflecting a network attack vector, low attack complexity, required privileges at the low level, no user interaction, and an impact limited to availability loss.

An attacker with subscriber-level access or higher can delete arbitrary attachments, potentially causing denial of availability of those resources. There is no impact on confidentiality or integrity according to the CVSS vector. No known exploits have been reported in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict subscriber-level user permissions where possible and monitor for suspicious deletion activity related to attachments. Avoid granting unnecessary privileges to users to limit exploitation potential.