The RealHome theme and the Easy Real Estate plugins for WordPress are vulnerable to two critical severity flaws that allow unauthenticated users to gain administrative privileges.
Although the two flaws were discovered in September 2024 by Patchstack, and multiple attempts were made to contact the vendor (InspiryThemes), the researchers say they have not received a response.
Also, Patchstack says the vendor released three versions since September, but no security fixes to address the critical issues were introduced. Hence, the issues remain unfixed and exploitable.
Vulnerability details
The RealHome theme and Easy Real Estate are among the most popular themes and plugins designed for use in real estate websites. According to Envanto Market data, the RealHome theme is used in 32,600 websites.
The first flaw, which impacts RealHome theme, is an unauthenticated privilege escalation problem tracked as CVE-2024-32444 (CVSS score: 9.8).
The theme allows users to register new accounts via the inspiry_ajax_register function, however, it does not properly check authorization or implement a nonce validation.
If registration is enabled on the website, attackers can arbitrarily specify their role as "Administrator" in a specially crafted HTTP request to the registration function, essentially bypassing security checks.
Once registered as an administrator, the attacker can subsequently gain full control of the WordPress site, including performing content manipulation, planting scripts, and accessing user or other sensitive data.
The flaw impacting the Easy Real Estate plugin is another unauthenticated privilege escalation issue via the social login. It's tracked under CVE-2024-32555 (CVSS score: 9.8).
The problem stems from the social login feature, which allows users to log in using their email address without verifying if it belongs to the person making the request.
As a result, if an attacker knows an admin's email address, they can log in without needing a password. The repercussions of successful exploitation are similar to those of CVE-2024-32444.
Mitigation recommendations
As no patch has been released yet by InspiryThemes, website owners and administrators using the said theme or plugin should disable them immediately.
Restricting user registration on affected websites would also prevent unauthorized account creations, limiting the potential for exploitation.
As the problems on the two add-ons are now public, threat actors are bound to explore their potential and scan for vulnerable websites, so responding quickly to mitigate the threat is crucial at this point.
Automated Pentesting Covers Only 1 of 6 Surfaces.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.
Comments
PluginVulns - 1 year ago
There isn't any mention of Patchstack reaching out to ThemeForest, which hosts the theme, before disclosing this. Did you reach out to them or the developer for comment about Patchstack's claims? (We just reached out to them both.)
Patchstack's post says that "This vulnerability occurred because the code that handles user input didn’t have any authorization or nonce check." But the code that follows includes a nonce check. The code even has a comment that says "First check the nonce, if it fails the function will break." So it seems like at least some of their information isn't correct.