CVE-2026-57811

CRITICAL

WordPress Realtyna Organic IDX plugin plugin <= 5.2.0 - Remote Code Execution (RCE) vulnerability

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-57811. PoCs published by incogbyte.

AI-analyzed exploit summary This exploit demonstrates unauthenticated arbitrary file upload leading to remote code execution (RCE) in Realtyna Organic IDX WordPress plugin (versions <= 5.2.0) by abusing a deprecated mobile application API endpoint with insufficient validation of the `commands_directory` parameter and file upload handling.

Description

Improper Control of Generation of Code ('Code Injection') vulnerability in Realtyna Realtyna Organic IDX plugin real-estate-listing-realtyna-wpl allows Remote Code Inclusion.This issue affects Realtyna Organic IDX plugin: from n/a through <= 5.2.0.

Exploits (1)

github WORKING POC 3 stars
by incogbyte · pythonpoc
https://github.com/incogbyte/wp-cve-exploits/tree/main/CVE-2026-57811

This exploit demonstrates unauthenticated arbitrary file upload leading to remote code execution (RCE) in Realtyna Organic IDX WordPress plugin (versions <= 5.2.0) by abusing a deprecated mobile application API endpoint with insufficient validation of the `commands_directory` parameter and file upload handling.

Classification
Working Poc 99%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Realtyna Organic IDX (real-estate-listing-realtyna-wpl) <= 5.2.0
No auth needed
Prerequisites: Knowledge of the target's plugin-specific `public_key` and `private_key` (stored in `wp_options wpl_settings`) · Sequential property ID probing to locate the uploaded file
mistral-large-3 · analyzed Jul 14, 2026 Full analysis →

Scores

CVSS v3 10.0
EPSS 0.0032
EPSS Percentile 24.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-94
Status published
Products (1)
Realtyna/Realtyna Organic IDX plugin < 5.2.0
Published Jul 13, 2026
Tracked Since Jul 13, 2026