CVE-2023-6140: 
WordPress vulnerability analysis and mitigation

The Essential Real Estate WordPress plugin before version 4.4.0 contains a critical security vulnerability identified as CVE-2023-6140. The vulnerability was discovered by Marc Montpas and Krzysztof Zając (CERT PL) and was publicly disclosed on December 18, 2023. This security issue affects WordPress installations using the Essential Real Estate plugin versions prior to 4.4.0 (WPScan).

The vulnerability is classified as an Unrestricted Upload of File with Dangerous Type (CWE-434) with a CVSS v3.1 Base Score of 8.8 (HIGH). The security flaw allows users with limited privileges on the site, such as subscribers, to momentarily upload malicious PHP files disguised as ZIP archives. The vulnerability exists in the file upload functionality of the plugin, specifically in the font upload feature (NVD, WPScan).

If exploited, this vulnerability could lead to remote code execution on the affected WordPress installation. An attacker with a subscriber-level account could potentially execute arbitrary PHP code on the server, potentially leading to complete site compromise (WPScan).

The vulnerability has been fixed in version 4.4.0 of the Essential Real Estate plugin. Site administrators are strongly advised to update to this version or later to protect against this security risk (WPScan).