CVE-2025-11191 is a security vulnerability classified under CWE-862 (Missing Authorization) affecting the RealPress WordPress plugin versions prior to 1.1.0. The core issue lies in the plugin's registration of REST API routes without enforcing proper permission checks, which means that any unauthenticated user can invoke these endpoints. Specifically, attackers can create new pages on the WordPress site and send emails through the site’s mail functionality. This unauthorized access to REST routes bypasses normal WordPress permission mechanisms, allowing attackers to manipulate site content and potentially use the site as a vector for phishing or spam campaigns. The vulnerability does not require authentication or user interaction, making it straightforward to exploit remotely. Although no exploits have been reported in the wild yet, the exposure of these capabilities poses a significant risk. The affected versions are all versions before 1.1.0, with no patch currently linked, indicating that users must remain vigilant and apply updates or mitigations once available. The vulnerability was reserved on 2025-09-30 and published on 2025-10-31, with WPScan as the assigner. The lack of a CVSS score necessitates an independent severity assessment based on the impact and exploitability factors.

For European organizations, this vulnerability can lead to unauthorized content creation on corporate or public-facing websites, damaging brand reputation and trust. Attackers could inject malicious or misleading pages, potentially facilitating phishing attacks targeting customers or employees. The ability to send emails from the compromised site increases the risk of spam or spear-phishing campaigns that appear legitimate, potentially bypassing email filters due to originating from a trusted domain. This can result in data breaches, financial fraud, or malware distribution. Organizations relying on RealPress for content management or marketing may face operational disruptions and increased incident response costs. The vulnerability's ease of exploitation without authentication means attackers can rapidly compromise multiple sites, amplifying the threat landscape. Given the widespread use of WordPress in Europe, especially among SMEs and public institutions, the impact could be broad if not mitigated promptly.

Immediate mitigation steps include disabling the RealPress plugin if feasible until a patched version is released. Administrators should monitor and restrict access to the WordPress REST API endpoints using web application firewalls (WAFs) or custom server rules to block unauthorized requests targeting RealPress routes. Implementing strict IP whitelisting or authentication mechanisms for REST API access can reduce exposure. Site owners should audit existing pages and email logs for suspicious activity indicative of exploitation. Once a patched version is available, promptly update the plugin to ensure proper authorization checks are enforced. Additionally, organizations should enhance monitoring for anomalous page creation or email sending patterns and educate staff about phishing risks stemming from compromised site emails. Employing security plugins that enforce REST API permission checks or rate limiting can provide additional layers of defense.