HQ/EMEAFind out how we can help your business
The WordPress real estate plugins, RealHome theme and Easy Real Estate, are vulnerable to two zero-day flaws that could enable unauthorised users to acquire admin access.
Researchers identified the weaknesses in September last year, and despite several attempts to contact the vendor, the bugs have not been addressed yet.
Based on reports, the vendor has already released three versions of the affected plugins since September. However, no security updates to address serious concerns have been introduced. Consequently, the problems remain unresolved and exploitable.
Thousands of websites employ the affected WordPress real estate plugins.
The RealHome theme and Easy Real Estate are two of the most popular WordPress real estate plugins. A recent tally shows that at least 32,000 websites use the RealHome theme.
The first vulnerability affecting the RealHome theme is an unauthenticated privilege escalation flaw tracked by researchers as CVE-2024-32444. The theme allows users to generate new accounts using the inspiry_ajax_register function. However, it does not correctly check authorisation or implement nonce validation.
If a site admin enables the registration on the website, malicious users can freely declare their role as “Administrator” via an adequately constructed HTTP request to the registration function. This tactic could effectively bypass security measures.
Once enrolled as an administrator, the unauthorised individual can acquire complete authority over the WordPress site, including manipulating content, installing scripts, and accessing user or other sensitive information.
Another unauthenticated power escalation vulnerability via social login affects the Easy Real Estate plugin. Researchers identify this flaw as CVE-2024-32555. The issue originates from the social login feature, which allows users to log in through their email address without confirming that it belongs to the person making the request.
As a result, if an attacker has the admin’s email address, they can get in without a password. The consequences of successful exploitation are identical to CVE-2024-32444.
InspiryThemes has not yet provided a patch. Therefore, sites that employ flawed plugins should be wary of malicious activities, as threat actors could now exploit these publicly disclosed vulnerabilities without available updates that would fix the bugs.
