Critical Vulnerabilities in WordPress RealHome and Easy Real Estate Plugins
2025-01-23
Learn about the risks of unpatched vulnerabilities in popular WordPress themes and plugins, and how CloudGuard can help protect against privilege escalation attacks.
Two critical vulnerabilities affecting the RealHome theme and Easy Real Estate plugins for WordPress allow unauthenticated users to gain administrative privileges. Despite being identified in September 2024, these issues remain unpatched by the vendor, InspiryThemes. The RealHome theme's flaw enables attackers to register as administrators through a registration function without proper authorization checks, while the Easy Real Estate plugin allows privilege escalation via its social login feature. Both vulnerabilities pose significant security risks to websites using these popular real estate solutions.
Zero-Day, Privilege Escalation, Web App/Website Vulnerability
WordPress, RealHome, Easy Real Estate, privilege escalation, CVE-2024-32444, CVE-2024-32555
CVE-2024-32444; CVE-2024-32555
RealHome theme, Easy Real Estate plugin, WordPress
Recent findings have uncovered two severe vulnerabilities in popular WordPress plugins, RealHome and Easy Real Estate, which are widely used in real estate websites. These vulnerabilities allow unauthorized users to gain administrative access, posing significant security threats. RealHome Theme Flaw (CVE-2024-32444) The RealHome theme is affected by an unauthenticated privilege escalation vulnerability. This flaw, identified by Patchstack, exploits the Easy Real Estate Plugin Flaw (CVE-2024-32555) Similarly, the Easy Real Estate plugin has a critical issue with its social login feature. The vulnerability arises because the plugin does not verify the ownership of email addresses used for login. If an attacker knows an admin's email, they can log in without needing a password, leading to unauthorized access and potential control over the website. These vulnerabilities were discovered in September 2024, but despite multiple attempts to reach the vendor, InspiryThemes, no security patches have been released. The RealHome theme is used on over 32,600 websites, amplifying the risk of exploitation. Both vulnerabilities allow attackers to gain full administrative control, enabling them to manipulate content, inject malicious scripts, and access sensitive data. The high CVSS scores of 9.8 for both vulnerabilities highlight the critical nature of these issues. Website owners using these plugins should consider disabling new user registrations and social logins until patches are available. Additionally, monitoring for unusual activity and enforcing strong access controls can help mitigate risks.Critical Vulnerabilities in WordPress Real Estate Plugins
Vulnerabilities Overview
inspiry_ajax_register function. The function allows new user registrations but fails to properly verify authorization or implement nonce validation. This oversight means that if registration is enabled, attackers can craft an HTTP request to register as administrators, bypassing security checks.Impact and Current Status
Risks of Exploitation
Mitigation Advice