Two severe vulnerabilities in the RealHome theme and Easy Real Estate plugin for WordPress could allow attackers to gain administrator access without authentication. Despite Patchstack identifying the flaws in September 2024 and reaching out to the vendor, InspiryThemes, no security patches have been issued across three updates, leaving the issues unaddressed.
The first flaw, CVE-2024-32444, allows attackers to exploit the RealHome theme's registration function to create admin accounts, bypassing authorization checks. The second, CVE-2024-32555, impacts the Easy Real Estate plugin, enabling attackers to log in as admins using social login without verifying email ownership. Both vulnerabilities have a critical CVSS score of 9.8.
Given the lack of fixes, website owners are urged to disable the affected tools and restrict user registrations immediately. Attackers are likely to exploit these issues soon, making rapid mitigation essential to protect sites from being compromised.
Read more...