In September 2024, security experts at Patchstack identified critical vulnerabilities in the RealHome theme and the Easy Real Estate plugin for WordPress, which allow unauthorized users to gain administrative privileges on websites. Despite multiple attempts to contact the developer, InspiryThemes, no response was ever received.
Since the discovery of these vulnerabilities, InspiryThemes has released three updates, none of which address the identified issues. The vulnerabilities remain unpatched and could be exploited by malicious actors. The RealHome theme and Easy Real Estate plugin are widely used by real estate website owners, with RealHome powering over 32,600 sites.
The first vulnerability, affecting the RealHome theme, is registered as CVE-2024-32444 and has a CVSS score of 9.8. This flaw enables attackers to escalate privileges to the administrator level. The issue stems from the inspiry_ajax_register function, which allows user registration but lacks proper authorization checks and does not use a nonce token to protect against request forgery.
If user registration is enabled on a website, an attacker can send a specially crafted HTTP request specifying the role of “Administrator,” bypassing existing security measures. Once administrative privileges are obtained, the cybercriminal can take full control of the site, alter content, inject malicious scripts, and access sensitive user data.
The second vulnerability, linked to the Easy Real Estate plugin, is recorded as CVE-2024-32555 and also has a CVSS score of 9.8. This flaw similarly allows privilege escalation by unauthorized users via the social login feature. The vulnerability arises from a failure to verify the email address’s association with the logging-in user. Consequently, knowing an administrator’s email address enables an attacker to log in without a password and gain full access to the site.
As InspiryThemes has yet to release fixes, website owners are strongly advised to immediately disable the RealHome theme and Easy Real Estate plugin. Additionally, it is recommended to disable new user registrations to prevent the creation of unauthorized accounts. With the vulnerabilities now publicly disclosed, hackers may actively scan websites for these weaknesses. Therefore, taking timely protective measures is of utmost importance.
