CVE-2025-11191: 
WordPress vulnerability analysis and mitigation

The RealPress WordPress plugin before version 1.1.0 contains a vulnerability related to improper permission checks in REST routes registration. This security flaw was discovered on October 10, 2025, and was assigned CVE-2025-11191. The vulnerability affects all versions of the RealPress plugin up to and including version 1.0.9 (WPScan, Rapid7).

The vulnerability stems from the plugin's REST API implementation where routes are registered without proper permission checks. The issue has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. This indicates that the vulnerability can be exploited remotely with low attack complexity, requires no privileges or user interaction, and primarily affects the integrity of the system (WPScan).

The vulnerability allows unauthenticated attackers to perform two unauthorized actions: create pages on the WordPress site and send arbitrary emails from the site. This could lead to content manipulation and potential email spam or phishing campaigns using the compromised site's domain (Rapid7).

The recommended mitigation is to update the RealPress plugin to version 1.1.0 or later, which includes proper permission checks for the REST routes. This update addresses the vulnerability by implementing appropriate authentication requirements (WPScan).