Two critical vulnerabilities in the RealHome theme and the Easy Real Estate plugin for WordPress have put thousands of websites at risk of exploitation. Despite months of warnings and multiple vendor updates, these issues remain unresolved, leaving website administrators scrambling for solutions.
Widespread Usage Heightens the Risk
The RealHome theme and Easy Real Estate plugin are widely used by real estate professionals for their online platforms. According to Envanto Market data, the RealHome theme alone is active on over 32,600 websites. This popularity makes the flaws even more concerning, as the potential attack surface is vast.
Patchstack, a security firm that discovered the vulnerabilities in September 2024, has attempted to contact the vendor, InspiryThemes, multiple times. Despite these efforts, the company has not acknowledged the flaws or implemented fixes in its three subsequent updates. With no patch in sight, the vulnerabilities remain exploitable.
Understanding the Threats
Flaw 1: Privilege Escalation via Registration in RealHome Theme (CVE-2024-32444)
This critical vulnerability, assigned a CVSS score of 9.8, allows attackers to register accounts with administrator privileges without authorization. The flaw resides in the inspiry_ajax_register function, which fails to enforce proper authorization checks or nonce validation.
If user registration is enabled on a website using the RealHome theme, an attacker can craft a malicious HTTP request and assign themselves an administrator role. This access grants them complete control over the site, allowing them to:
- Modify or delete content.
- Inject malicious scripts.
- Access sensitive user data.
Flaw 2: Social Login Exploit in Easy Real Estate Plugin (CVE-2024-32555)
The Easy Real Estate plugin suffers from a similar privilege escalation issue, also scoring 9.8 on the CVSS scale. The plugin’s social login feature enables attackers to bypass authentication by simply knowing the email address of an administrator. No password verification is required, giving them unrestricted access to the website.
The potential consequences of this vulnerability are dire and mirror those of CVE-2024-32444, including site defacement, data theft, and malware installation.
Mitigation Strategies for Affected Users
With no official fix available, website owners and administrators must take immediate action to protect their sites. Experts recommend the following steps:
- Disable the Theme and Plugin: Immediately deactivate both the RealHome theme and Easy Real Estate plugin to eliminate the vulnerabilities.
- Restrict User Registration: If disabling the theme or plugin is not feasible, ensure that user registration is turned off to prevent unauthorized account creation.
- Monitor for Exploitation: Keep an eye on unusual activity, such as new administrative accounts or unexpected changes to site content.
Table: Comparison of Vulnerabilities
Vulnerability | Impacted Component | CVSS Score | Exploitation Method | Impact |
---|---|---|---|---|
CVE-2024-32444 | RealHome Theme | 9.8 | Arbitrary role assignment via registration function | Full site control, data theft, content tampering |
CVE-2024-32555 | Easy Real Estate Plugin | 9.8 | Social login bypass using admin email | Full site control, data theft, content tampering |
Why This Matters Now
The vulnerabilities are not just a theoretical risk. With the details now public, cybercriminals are likely to scan for and exploit vulnerable websites. Website owners who delay action may find their sites compromised in a matter of days or even hours.
Patchstack’s failure to secure a response from InspiryThemes and the vendor’s refusal to address the issues raise questions about accountability in the WordPress ecosystem. As security concerns mount, users must remain vigilant and proactive in defending their platforms.