Critical zero-days impact premium WordPress real estate plugins
The RealHome theme and the Easy Real Estate plugins for WordPress are vulnerable to two critical severity flaws that allow unauthenticated users to gain administrative privileges.
Although the two flaws were discovered in September 2024 by Patchstack, and multiple attempts were made to contact the vendor (InspiryThemes), the researchers say they have not received a response.
Also, Patchstack says the vendor released three versions since September, but no security fixes to address the critical issues were introduced. Hence, the issues remain unfixed and exploitable.
Vulnerability details
The RealHome theme and Easy Real Estate are among the most popular themes and plugins designed for use in real estate websites. According to Envanto Market data, the RealHome theme is used in 32,600 websites.
The first flaw, which impacts RealHome theme, is an unauthenticated privilege escalation problem tracked as CVE-2024-32444 (CVSS score: 9.8).
The theme allows users to register new accounts via the inspiry_ajax_register function, however, it does not properly check authorization or implement a nonce validation.
If registration is enabled on the website, attackers can arbitrarily specify their role as "Administrator" in a specially crafted HTTP request to the registration function, essentially bypassing security checks.
Once registered as an administrator, the attacker can subsequently gain full control of the WordPress site, including performing content manipulation, planting scripts, and accessing user or other sensitive data.
The flaw impacting the Easy Real Estate plugin is another unauthenticated privilege escalation issue via the social login. It's tracked under CVE-2024-32555 (CVSS score: 9.8).
The problem stems from the social login feature, which allows users to log in using their email address without verifying if it belongs to the person making the request.
As a result, if an attacker knows an admin's email address, they can log in without needing a password. The repercussions of successful exploitation are similar to those of CVE-2024-32444.
Mitigation recommendations
As no patch has been released yet by InspiryThemes, website owners and administrators using the said theme or plugin should disable them immediately.
Restricting user registration on affected websites would also prevent unauthorized account creations, limiting the potential for exploitation.
As the problems on the two add-ons are now public, threat actors are bound to explore their potential and scan for vulnerable websites, so responding quickly to mitigate the threat is crucial at this point.
Trump Overturns Biden Rules on AI Development, Security
Under lock and key: Protecting corporate data from cyberthreats in 2025
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2025-24983 Microsoft Windows Win32k Use-After-Free Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
CVE-2024-20953 Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability
MediumCWE-498 Cloneable Class Containing Sensitive Information
CWE-773 Missing Reference to Active File Descriptor or Handle
CWE-914 Improper Control of Dynamically-Identified Variables
CWE-212 Improper Removal of Sensitive Information Before Storage or Transfer
CWE-344 Use of Invariant Value in Dynamically Changing Context
Free online web security scanner