Critical unpatched flaws reported in premium WordPress real estate plugins RealHome and Easy Real Estate

A pair of critical security vulnerabilities have been discovered affecting popular WordPress real estate solutions: the RealHome theme and Easy Real Estate plugins. These vulnerabilities were identified in September 2024 by Patchstack, but despite multiple attempts to contact the vendor InspiryThemes and three subsequent version releases, the issues remain unpatched.

• The first vulnerability, tracked as CVE-2024-32444 (CVSS score: 9.8), affects the RealHome theme, which is currently used by approximately 32,600 websites according to Envanto Market data. This vulnerability allows unauthenticated users to gain administrative privileges through the inspiry_ajax_register function due to improper authorization checks and lack of nonce validation. When website registration is enabled, attackers can exploit this flaw by crafting special HTTP requests that specify their role as "Administrator," effectively bypassing security measures and gaining full control of the WordPress site.
• The second vulnerability, identified as CVE-2024-32555 (CVSS score: 9.8), impacts the Easy Real Estate plugin's social login feature. This critical flaw enables unauthorized users to log in using an administrator's email address without requiring password verification. If an attacker knows an administrator's email address, they can gain unauthorized administrative access to the site. Once compromised, attackers can manipulate content, inject malicious scripts, and access sensitive user data.

Given that no security patches are currently available and these vulnerabilities are now public knowledge, website owners are strongly advised to disable the affected theme and plugin, and restrict user registration functionality on affected websites.

The public disclosure of these vulnerabilities increases the likelihood of threat actors actively scanning for and exploiting vulnerable websites.