CVE-2025-11191 is a vulnerability identified in the RealPress WordPress plugin prior to version 1.1.0, categorized under CWE-862 (Missing Authorization). The issue arises because the plugin registers REST API routes without enforcing proper permission checks. This security lapse allows unauthenticated remote attackers to invoke these endpoints to create new pages on the WordPress site and send emails as if originating from the site itself. The lack of authorization checks means that no user credentials or privileges are required to exploit this flaw, and no user interaction is necessary. The vulnerability impacts the integrity of the website by enabling unauthorized content creation, which can be used for defacement or injecting malicious content. Additionally, the ability to send emails from the site can be abused for phishing campaigns or spam distribution, potentially damaging the organization’s reputation and trustworthiness. The CVSS 3.1 base score is 5.3 (medium severity), reflecting the network attack vector, low attack complexity, no privileges required, no user interaction, and impact limited to integrity without affecting confidentiality or availability. Although no known exploits are currently reported in the wild, the straightforward exploitation path and the common use of WordPress plugins make this a notable risk. The vulnerability was published on October 31, 2025, and the plugin vendor is expected to release a patch in version 1.1.0 or later. Until then, organizations must consider alternative mitigations such as restricting access to REST endpoints or implementing custom authorization logic.

For European organizations, this vulnerability poses a risk primarily to website integrity and email trustworthiness. Unauthorized page creation can lead to website defacement, misinformation, or embedding of malicious content, which can harm brand reputation and user trust. The ability to send emails from the compromised site can facilitate phishing attacks targeting customers or partners, increasing the risk of credential theft or malware infections. Since the vulnerability requires no authentication and can be exploited remotely, it broadens the attack surface significantly. Organizations relying on RealPress for their WordPress sites, especially those with customer-facing portals or transactional email capabilities, face increased risk of operational disruption and reputational damage. The impact on confidentiality and availability is minimal, but the indirect consequences of phishing and brand damage can be substantial. Additionally, regulatory compliance under GDPR may be affected if the unauthorized emails lead to data breaches or privacy violations. The medium severity rating suggests that while the threat is not critical, timely remediation is important to prevent exploitation.

1. Upgrade the RealPress WordPress plugin to version 1.1.0 or later as soon as the patch is released to ensure proper authorization checks are enforced on REST API routes. 2. Until an official patch is available, implement custom permission checks on the affected REST endpoints by modifying the plugin code or using WordPress hooks to restrict access to authenticated and authorized users only. 3. Employ Web Application Firewalls (WAF) with rules to detect and block unauthorized REST API calls targeting RealPress endpoints. 4. Monitor website content and email sending logs for unusual activity indicative of exploitation attempts, such as unexpected page creations or email dispatches. 5. Restrict REST API access to trusted IP addresses or authenticated users where feasible, using server or WordPress configuration. 6. Educate site administrators about the vulnerability and encourage regular plugin updates and security audits. 7. Review email sending policies and implement SPF, DKIM, and DMARC records to reduce the impact of potential phishing emails sent from compromised sites. 8. Conduct penetration testing focused on REST API endpoints to identify any other missing authorization issues.