– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-27050:
This vulnerability is a Cross-Site Request Forgery (CSRF) flaw in the RealPress Real Estate WordPress plugin versions up to 1.1.0. The vulnerability affects the agent request approval functionality within the plugin’s admin interface. It allows unauthenticated attackers to trick administrators into performing unauthorized actions, potentially changing user roles.

Root Cause:
The vulnerability originates in the `handle_become_an_agent()` function within `/realpress/app/Controllers/BecomeAgentController.php`. The function processes GET parameters `realpress-action` and `user_id` (lines 30-31) without validating a WordPress nonce. The function executes role changes (lines 55-65) when the action is ‘accept-request’ or ‘deny-request’. The code performs administrator capability checks and user existence validation but lacks CSRF protection, making the action susceptible to forged requests.

Exploitation:
An attacker crafts a malicious link or embeds an image tag with a specific URL targeting a logged-in administrator. The URL points to the WordPress admin area with the parameters `users.php?realpress-action=accept-request&user_id={TARGET_USER_ID}`. When an administrator with sufficient privileges visits this URL while authenticated, the plugin processes the request, accepts the pending agent request, and elevates the specified user to the REALPRESS_AGENT_ROLE. The attack requires no authentication from the attacker, only a successful social engineering attempt.

Patch Analysis:
The patch adds nonce validation to the `handle_become_an_agent()` function. It introduces a `$nonce_map` array (lines 40-43) that maps actions to specific nonce names. The code now checks for the presence of the `_wpnonce` GET parameter (line 49) and validates it using `wp_verify_nonce()` (line 50). The patch also modifies the `user_row_actions()` function (lines 113-128) to generate nonced URLs using `wp_nonce_url()` for the ‘Accept’ and ‘Deny’ action links. These changes ensure each administrative action requires a unique, time-limited token tied to the user session.

Impact:
Successful exploitation allows attackers to escalate the privileges of any subscriber user to agent status without authorization. This grants the compromised user access to agent-specific functionality within the real estate platform. Attackers could create fraudulent property listings, manipulate existing listings, or access sensitive agent information. The vulnerability requires administrator interaction but no technical skill beyond crafting a malicious link.