How ZeroPath Works
Back to Blog

WPCasa WordPress Plugin CVE-2025-9321 Code Injection Vulnerability: Brief Summary and Technical Review

This post provides a brief summary and technical review of CVE-2025-9321, a critical code injection vulnerability affecting all versions of the WPCasa WordPress plugin up to and including 1.4.1. We focus on technical details, affected versions, and vendor history, with references for further reading.
CVE Analysis

7 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-09-22

WPCasa WordPress Plugin CVE-2025-9321 Code Injection Vulnerability: Brief Summary and Technical Review
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Attackers can achieve remote code execution on real estate websites running WPCasa for WordPress without authentication. This vulnerability impacts a widely used property management plugin, exposing sensitive business and client data to compromise across all sites using affected versions.

WPCasa is a real estate management solution for WordPress developed by WPSight. It is used by thousands of real estate professionals and agencies to manage property listings, searches, and agent profiles. The plugin is available in the official WordPress repository and forms the backbone of many real estate websites.

Technical Information

CVE-2025-9321 is a code injection vulnerability in the WPCasa plugin for WordPress, affecting all versions up to and including 1.4.1. The root cause is insufficient input validation and restriction in the 'api_requests' function, located in includes/class-wpsight-api.php at or near line 48 (reference).

The vulnerable function processes API requests from external sources. Due to a lack of proper input sanitization, unauthenticated attackers can craft malicious HTTP requests to the plugin's API endpoints. These requests can include arbitrary function calls or code payloads, which the plugin then executes on the server. This is a classic example of CWE-94 (Improper Control of Code Generation), where user input is used in code execution contexts without adequate validation.

No public code snippet is provided in the official advisories, but the vulnerability is confirmed to reside in the API handling logic. Exploitation does not require authentication, making it trivial for attackers to automate attacks against any publicly accessible WordPress site running a vulnerable version of WPCasa.

Affected Systems and Versions

  • Product: WPCasa WordPress plugin
  • Versions affected: All versions up to and including 1.4.1
  • Any WordPress site with WPCasa 1.4.1 or earlier is vulnerable

Vendor Security History

WPSight, the developer of WPCasa, provides a suite of real estate plugins and themes for WordPress. The company maintains active documentation and support channels. No prior critical vulnerabilities were identified in the provided materials, but the presence of this long-standing flaw highlights the need for improved input validation and code review processes.

References

Detect & fix
what others miss

Get startedBook a demo