The RealHome theme, one of WordPress’s most popular real estate website themes, and its associated Easy Real Estate plugins are vulnerable to two critical security vulnerabilities. If exploited correctly, these vulnerabilities can grant administrative access to an intruder.
Security researchers at Patchstack discovered the bugs in version 4.3.3 of the theme in September 2024. They’ve tried contacting the theme developer InspiryThemses multiple times since then to no avail. InspiryThemese has updated the theme thrice since the vulnerabilities were discovered, but the security flaws remain unpatched.
Details of the two bugs are as follows:
- CVE-2024-32444: This is a privilege escalation bug with a CVSS rating of 9.8 in the RealHome theme. An attacker can register themselves as an administrator using a specially crafted HTTP request to the registration function in the theme, bypassing any security checks.
- CVE-2024-32555: This is another privilege escalation flaw that resides in the Easy Real Estate plugin. It has been given a CVSS rating of 9.8 and exploits a bug in the social login features provided by the plugin. If an intruder knows an admin’s email address, they can gain admin access to the site’s backend without needing to enter a password.
Either of these vulnerabilities can be exploited to gain complete control of a vulnerable WordPress website. Exploitation can further result in content manipulation and leaks of user or other sensitive data, and the attackers can also plant additional malicious scripts for additional attacks.
According to Envato Market data, the theme is currently used by 32,600 websites at the time of writing. Since there’s no patch or workaround for the security issues, Patchstack researchers recommend immediately disabling the theme or plugin, whichever is in active use.
Since the vulnerabilities have been disclosed publicly, they will inevitably be exploited by hackers who might start scanning for vulnerable websites. Restricting user registration on vulnerable websites can help mitigate the issue but doesn’t entirely protect the website.
In the News: Cloudflare vulnerability can reveal your location with only an image
