A serious security flaw has been found in the RealHomes WordPress theme and its Easy Real Estate plugin, putting over 23,000 websites at risk.
These vulnerabilities allow attackers to gain full control of affected sites without needing login credentials. They have been rated 9.8 out of 10 in severity and are tracked as CVE-2024-32444 (theme) and CVE-2024-32555 (plugin).
RealHomes Theme Vulnerability (CVE-2024-32444)
The flaw exists in the inspiry_ajax_register function, which fails to check user inputs properly. Attackers can assign themselves administrator privileges by manipulating requests.
This can lead to full site control, data theft, and malware injection.
Also read: A WordPress Plugin Vulnerability Exposes Over 4 Million Sites
Easy Real Estate Plugin Vulnerability (CVE-2024-32555)
The issue occurs in the ere_social_register function, which does not verify email ownership correctly. Attackers can log in as any user, including administrators, by knowing their email address.
This could allow hackers to modify content and steal sensitive information.
What You Should Do
Website owners should act quickly to prevent possible attacks. Below are some measures to mitigate risk:
- Disable the theme and plugin immediately until a fix is released.
- Use security tools that provide virtual patches to protect against attacks.
- Stay updated with vendor announcements for security patches or switch to more secure alternatives.
- These vulnerabilities highlight the importance of strong security measures in WordPress themes and plugins.
Source: Cybersecuritynews.com
About Author
