Critical Security Flaws Discovered in RealHome Theme and Plugin, Awaiting Patches

-
WordPress administrators managing real estate websites using the RealHome Theme and its associated plugin, Easy Real Estate, are urged to secure their sites due to unpatched vulnerabilities. Researchers from Patchstack have identified critical security flaws in the theme and plugin, which pose significant risks to websites.

RealHome Theme and Plugin Vulnerabilities Remain Unpatched

Patchstack researchers discovered two major vulnerabilities in the RealHome Theme and the Easy Real Estate plugin that could jeopardize website security:

CVE-2024-32444 (Critical severity, CVSS 9.8):
A lack of nonce checks in the code handling user inputs allows privilege escalation in the RealHome Theme. Malicious actors can exploit this to create new admin accounts by abusing the inspiry_ajax_register action with a $user_role parameter. This oversight enables unauthorized attackers to gain full control of affected websites.

CVE-2024-32555 (Critical severity, CVSS 9.8):
Another privilege escalation vulnerability exists in the ere_social_register() function of the Easy Real Estate plugin. This flaw allows an attacker to log in as the site admin using only the admin email address—bypassing password verification entirely. This vulnerability impacts plugin version 4.3.3.

Despite being informed promptly about these flaws, the developers at InspiryThemes have not issued patches at the time of writing. This delay exposes all websites using the theme and plugin to potential exploits.

Recommended Mitigations

Until patched versions are released, administrators are advised to:

1. Disable the RealHome Theme and Easy Real Estate plugin immediately to avoid exploitation.


2. Implement strict input validation for functions like wp_set_auth_cookie(), wp_update_user(), and update_user_meta().


3. Restrict the creation of user accounts to prevent the creation of unauthorized admin accounts.



These proactive measures can help mitigate risks until secure updates are available. Administrators should remain vigilant and monitor updates from the developers closely.

What do you think about this situation? Share your thoughts below.

Comments

Post a Comment

Popular posts from this blog

Saudi Royal Family's Lavish Car Collection Raises Eyebrows and Sparks Criticism.

-
Saudi Arabia is known for its luxurious lifestyle, showcased by its royal family. The family has accumulated vast investments in various sectors, including real estate, hospitality, and luxury cars. The properties possessed by the family include expansive palaces, seaside villas, and properties in major cities around the world. The family operates through its investment arm, the Saudi Arabian Investment Company (SAICO), which manages its vast portfolio of assets. The family has investments in some of the world's most luxurious hospitality brands, including Four Seasons and Ritz Carlton. They also own palatial homes and resorts, such as the Princess Nora bint Abdul Rahman University in Riyadh, which boasts a vast library, auditorium, and theatre. When it comes to vehicles, the Saudi royal family is known for their fleet of high-end luxury cars such as Rolls Royce, Lamborghini, Mercedes-Benz, Bentley, and Ferrari. They are chauffeured around in these exclusive rides, which showcase t...
Read more

Wikipedia Co-Founder Jimmy Wales Takes Aim at Elon Musk Over “Defund Wikipedia” Comments

-
Image
Wikipedia Co-Founder Jimmy Wales Takes Aim at Elon Musk Over “Defund Wikipedia” Comments Published: 22 January 2025 The online clash between tech leaders Elon Musk and Jimmy Wales has reignited, with the Wikipedia co-founder responding sharply to Musk’s call to “Defund Wikipedia.” The controversy began after Musk criticized the platform on X (formerly Twitter), referring to it as “Wokepedia” and urging users to stop donating until it “restores balance to its editing authority.” Musk’s frustrations appeared to stem from a recent update to his Wikipedia page that referenced his gesture at Donald Trump’s inauguration celebration—an event that remains divisive. His post read: “Defund Wikipedia until balance is restored! Stop donating to Wokepedia until they restore balance to their editing authority.” Jimmy Wales, never one to shy away from a debate, quickly fired back. In a pointed response, he wrote: “I think Elon is unhappy that Wikipedia is not for sale. I hope his campaign...
Read more

Activate Win11 OS, MS Office Permanently for free

-
Image
Experience the message on you Win OS Windows activation? Here are simple steps to get it activated, with bonus of Microsoft Office activation tool. Power on your machine,  Connect your machine to the Internet and follow up the process below. Press 1. Win button (Win + X and press A) it prompt do you want to open Windows Powershell?  2. Press Yes (PS C:\Users\DELL>) 3. Enter the following prompt irm https://get.activated.win | iex Wait for the PowerShell Scripts to run Select the option you want to activate ie:  [1]. HWID - Windows [2]  Ohook - Office [3] TSforce - Windows / Office / ESU [4] KMS38 - Windows [5] Online KMS - Windows / Office  [6] Check Activation Status [7] Change Windows Edition  [8] Change Office Edition  [9] Troubleshoot  [E] Extras [H] Help [0] Exit Choose a menu option using your keyboard [1,2,3...E,H,0]:
Read more