Two severe security vulnerabilities have been identified in the RealHome theme and Easy Real Estate plugin for WordPress, which could allow attackers to gain administrative access to websites without authentication.

These flaws pose a significant risk to thousands of websites, especially those in the real estate industry.

The vulnerabilities were first reported by cybersecurity firm Patchstack in September 2024. Despite multiple attempts to contact the developer, InspiryThemes, no response or security patches have been provided to address these issues. Patchstack further noted that InspiryThemes has released three updates since the vulnerabilities were reported, yet none have included fixes for these critical flaws, leaving websites exposed to exploitation.

Details of the Vulnerabilities

The RealHome theme and Easy Real Estate plugin are widely used in real estate websites, with the RealHome theme alone active on over 32,600 sites, according to Envato Market data.

Buy Me a Coffee

The first vulnerability, tracked as CVE-2024-32444, is a privilege escalation flaw in the RealHome theme. With a CVSS score of 9.8, this issue is highly critical. The flaw lies in the inspiry_ajax_register function, which handles user registration. The function fails to validate authorization and nonce tokens properly. Attackers can exploit this by sending a specially crafted HTTP request, allowing them to register as administrators if user registration is enabled on the website. Once an attacker gains administrative privileges, they can manipulate content, plant malicious scripts, and access sensitive data.

The second vulnerability affects the Easy Real Estate plugin and is tracked as CVE-2024-32555 (CVSS score: 9.8). This flaw originates from the plugin’s social login feature, which does not verify if the provided email belongs to the user attempting to log in. Attackers can exploit this by using an administrator’s email address to bypass authentication and gain full access to the website.

READ
TikTok, SHEIN, and More Face Legal Complaints Over EU Data Privacy Breaches

Mitigation Steps

Since InspiryThemes has not yet released a fix, users are strongly advised to take immediate action to secure their websites. The following steps are recommended:

  • Disable the RealHome theme and Easy Real Estate plugin until security updates are available.
  • Turn off user registration on affected websites to prevent unauthorized account creation.
  • Regularly monitor for suspicious activity and implement additional security measures such as a web application firewall (WAF).