Saturday, February 15, 2025
HomeCVE/vulnerabilityWordpress Plugin Vulnerability Exposes 23k+ Websites to Hacking

WordPress Plugin Vulnerability Exposes 23k+ Websites to Hacking

Published on

SIEM as a Service

Follow Us on Google News

Researchers from Patchstack have warned that over 23,000 real estate websites using the popular RealHomes WordPress theme and its bundled Easy Real Estate plugin are exposed to critical security vulnerabilities.

These vulnerabilities allow unauthenticated attackers to escalate privileges, take over administrator accounts, and compromise websites.

Let’s dive into the technical details of these vulnerabilities and the actions website owners can take to protect their platforms.

1. Unauthenticated Privilege Escalation in RealHomes Theme

The RealHomes theme, widely used by real estate websites, suffers from an unauthenticated privilege escalation flaw, CVE-2024-32444.

This vulnerability stems from improper authorization and missing nonce validation in the inspiry_ajax_register() function.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Attackers can exploit this issue to create administrator accounts with just a series of malicious HTTP requests. Here’s an excerpt of the vulnerable code from the RealHomes theme:

function inspiry_ajax_register() {
    // First check the nonce
    check_ajax_referer( 'inspiry-ajax-register-nonce', 'inspiry-secure-register' );
    // Assign user role without proper authorization checks
    if ( ! empty( $_POST['user_role'] ) ) {
        $info['role'] = sanitize_text_field( $_POST['user_role'] );
    } else {
        $info['role'] = get_option( 'default_role', 'subscriber' );
    }
    // Register the user
    $user_register = wp_insert_user( $info );
    if ( is_wp_error( $user_register ) ) {
        // Handle errors
    } else {
        // Send registration success response
        echo json_encode( array( 'success' => true ) );
    }
    die();
}

The issue arises because the $user_role parameter accepts malicious input, allowing attackers to assign themselves the Administrator role.

2. Unauthenticated Login in Easy Real Estate Plugin

The Easy Real Estate plugin, a companion to the RealHomes theme, fails to verify user credentials properly in the ere_social_register() function, CVE-2024-32555.

By crafting a malicious request using a known administrator email address, attackers can log into WordPress accounts without needing a password. Here’s the vulnerable section of the ere_social_register() function:

function ere_social_register( $register_cred ) {
    $existing_user = get_user_by( 'email', $register_cred['user_email'] );
    if ( $existing_user ) {
        wp_set_auth_cookie( $existing_user->ID ); // No ownership check
        wp_set_current_user( $existing_user->ID );
        ere_social_login_redirect();
        exit;
    }
}

This flaw is particularly dangerous as it grants attackers full access to accounts by knowing just the email ID of a user.

Patchstack initially reported these vulnerabilities in version 4.3.3 of RealHomes several months ago. Despite three updates to the theme and plugin since then, the vendor has not released a patch to address these issues.

There is no resolution, leaving affected websites at risk. Patchstack customers, however, are protected through their proactive vulnerability management system.

Until a patch is issued, website owners are strongly advised to take immediate measures:

  1. Disable Both the RealHomes Theme and Easy Real Estate Plugin
    Temporarily deactivate these assets on your website to eliminate the risk of exploitation.
  2. Monitor Website Activity for Suspicious Behavior
    Check for unauthorized user accounts or unusual administrative activity on your WordPress dashboard.
  3. Implement Plugin Security Solutions
    Use security plugins like Wordfence or Patchstack to mitigate potential vulnerabilities temporarily.
  4. Restrict User Registration
    If user registration is enabled, disable it until the vulnerabilities are patched.

This incident underscores the importance of secure coding practices. Developers should rigorously validate user input and implement proper authentication mechanisms.

Functions like wp_set_auth_cookie() and wp_insert_user() should never rely on untrusted input from external sources. For instance, the inclusion of stricter role validation could mitigate privilege escalation risks:

if ( ! current_user_can( 'administrator' ) ) {
    wp_die( 'Unauthorized action.' );
}

The RealHomes theme and Easy Real Estate plugin vulnerabilities highlight the dangers of insecure coding practices in WordPress add-ons.

While website owners await a patch from the vendor, taking immediate action to disable these components and secure accounts is paramount.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Fake BSOD Attack Launched via Malicious Python Script

A peculiar malicious Python script has surfaced, employing an unusual and amusing anti-analysis trick...

SocGholish Malware Dropped from Hacked Web Pages using Weaponized ZIP Files

A recent wave of cyberattacks leveraging the SocGholish malware framework has been observed using...

Lazarus Group Targets Developers Worldwide with New Malware Tactic

North Korea's Lazarus Group, a state-sponsored cybercriminal organization, has launched a sophisticated global campaign...

North Korean IT Workers Penetrate Global Firms to Install System Backdoors

In a concerning escalation of cyber threats, North Korean IT operatives have infiltrated global...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Fake BSOD Attack Launched via Malicious Python Script

A peculiar malicious Python script has surfaced, employing an unusual and amusing anti-analysis trick...

SocGholish Malware Dropped from Hacked Web Pages using Weaponized ZIP Files

A recent wave of cyberattacks leveraging the SocGholish malware framework has been observed using...

Lazarus Group Targets Developers Worldwide with New Malware Tactic

North Korea's Lazarus Group, a state-sponsored cybercriminal organization, has launched a sophisticated global campaign...