Skip to main content

Command Palette

Search for a command to run...

Critical vulnerability disclosed in WordPress Real Home Theme and Easy Real Estate Plugin (CVE-2024-32444, CVE-2024-32555)

Published
4 min readView as Markdown
Critical vulnerability disclosed in WordPress Real Home Theme and Easy Real Estate Plugin (CVE-2024-32444, CVE-2024-32555)
F

PT FPT Metrodata Indonesia (FMI) is a joint venture between FPT IS and Metrodata Electronics, focusing on providing Cybersecurity-as-a-Service—including SOC, managed security, professional services, consulting, and threat intelligence—to support Indonesia’s rapidly growing digital economy. FMI is expanding into AI and cloud GPU services to deliver innovative protection and solutions for enterprises. Learn more at https://fmisec.com.

Summary

Cyble's Security Update Advisory provides a synopsis of the latest vulnerability patches released by various vendors. This advisory discusses critical vulnerabilities disclosed in the WordPress Real Home Theme and the plugin that is installed with Easy Real Estate.

WordPress Real Home Theme is a premium WordPress theme designed specifically for real estate businesses and property listings. It offers a visually appealing and user-friendly layout, making it easy to showcase properties with high-quality images, detailed descriptions, and key features.

The Easy Real Estate Plugin complement’s themes like Real Home by adding essential features for real estate websites. It enables users to create, manage, and display property listings with details like pricing, location, images, and amenities. The plugin often includes advanced tools like property search filters, map integration, and lead capture forms, making it easier to manage and promote real estate listings. Together, they streamline real estate website development with minimal coding.

Patchstack first discovered CVE-2024-32444 on version 4.3.3, and there have been three version releases with no patch attempt to fix the mentioned issues. Patchstack has released a virtual patch to mitigate this issue by blocking any attacks until an official fix becomes available.

Based on naming standards followed by Common Vulnerabilities and Exposures (CVE) and severity standards as defined by the Common Vulnerability Scoring System (CVSS), vulnerabilities are classified as high, medium, and low vulnerabilities.

Vulnerability Details

Unauthenticated Privilege Escalation

CVE-2024-32444

CVSSv3.1

9.8

Severity

Critical

Vulnerable Component

WordPress Real Homes Theme <= 4.3.6

Description

In the affected versions of WordPress Real Homes Theme the code does not handle user inputs and didn’t have any authorization or nonce check. If registration is enabled on the settings any attacker can take over the website. The theme also didn’t check if the user is calling the inspiry_ajax_register action with a $user_role parameter and has permission to create Administrator role accounts, allowing anyone to generate one

Additional Information

A nuclei template for the vulnerability is available in the public domain

Unauthenticated Privilege Escalation

CVE-2024-32555

CVSSv3.1

9.8

Severity

Critical

Vulnerable Component

WordPress Easy Real Estate Plugin <= 2.2.6

Description

In the affected versions of the WordPress Easy Real Estate Plugin, if an attacker is aware of the administrator’s email address, the plugin doesn’t verify whether the email address supplied to the POST request is owned by the sender. This allows anyone to log in to any user’s account without knowing the account’s password.

Recommendation

  1. Implement the latest patch released by the official vendor: Regularly update all software and hardware systems with the latest patches from official vendors to mitigate vulnerabilities and protect against exploits. Establish a routine schedule for patch application and ensure critical patches are applied immediately.

  2. Implement a robust patch management process: Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency.

  3. Incident response and recovery plan: Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents. Regularly test and update the plan to ensure its effectiveness and alignment with current threats.

  4. Monitoring and logging malicious activities across the network: Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Use SIEM (Security Information and Event Management) systems to aggregate and correlate logs for real-time threat detection and response.

  5. To mitigate risks associated with End-of-Life (EOL) products: Organizations should proactively identify and assess their criticality, then plan for timely upgrades or replacements.

Conclusion

WordPress themes and plugins are frequently targeted by threat actors (TAs) due to their widespread use and the fact that many are not regularly updated or maintained by their developers. This lack of updates leaves vulnerabilities unpatched, making them an attractive target for exploitation. Emerging security flaws in these plugins and themes can provide attackers with opportunities to compromise websites, steal data, or inject malicious code. Therefore, when relying on WordPress plugins or themes, it is crucial to perform thorough security checks, ensure they are actively maintained by reputable developers, and verify the availability of ongoing support to mitigate potential risks

More from this blog

F

FPT Metrodata Indonesia Cyber Security

683 posts

FPT Metrodata Indonesia (FMI) provides news, analysis & guides on cybersecurity and threat intelligence for Indonesia & Vietnam. Visit https://news.fmisec.com. FMI: https://fmisec.com