WordPress Plugin Vulnerability Exposes 23k+ Websites to Hacking

Researchers from Patchstack have warned that over 23,000 real estate websites using the popular RealHomes WordPress theme and its bundled Easy Real Estate plugin are exposed to critical security vulnerabilities.

These vulnerabilities allow unauthenticated attackers to escalate privileges, take over administrator accounts, and compromise websites.

Let’s dive into the technical details of these vulnerabilities and the actions website owners can take to protect their platforms.

1. Unauthenticated Privilege Escalation in RealHomes Theme

The RealHomes theme, widely used by real estate websites, suffers from an unauthenticated privilege escalation flaw, CVE-2024-32444.

This vulnerability stems from improper authorization and missing nonce validation in the inspiry_ajax_register() function.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Attackers can exploit this issue to create administrator accounts with just a series of malicious HTTP requests. Here’s an excerpt of the vulnerable code from the RealHomes theme:

function inspiry_ajax_register() {
    // First check the nonce
    check_ajax_referer( 'inspiry-ajax-register-nonce', 'inspiry-secure-register' );
    // Assign user role without proper authorization checks
    if ( ! empty( $_POST['user_role'] ) ) {
        $info['role'] = sanitize_text_field( $_POST['user_role'] );
    } else {
        $info['role'] = get_option( 'default_role', 'subscriber' );
    }
    // Register the user
    $user_register = wp_insert_user( $info );
    if ( is_wp_error( $user_register ) ) {
        // Handle errors
    } else {
        // Send registration success response
        echo json_encode( array( 'success' => true ) );
    }
    die();
}

The issue arises because the $user_role parameter accepts malicious input, allowing attackers to assign themselves the Administrator role.

2. Unauthenticated Login in Easy Real Estate Plugin

The Easy Real Estate plugin, a companion to the RealHomes theme, fails to verify user credentials properly in the ere_social_register() function, CVE-2024-32555.

By crafting a malicious request using a known administrator email address, attackers can log into WordPress accounts without needing a password. Here’s the vulnerable section of the ere_social_register() function:

function ere_social_register( $register_cred ) {
    $existing_user = get_user_by( 'email', $register_cred['user_email'] );
    if ( $existing_user ) {
        wp_set_auth_cookie( $existing_user->ID ); // No ownership check
        wp_set_current_user( $existing_user->ID );
        ere_social_login_redirect();
        exit;
    }
}

This flaw is particularly dangerous as it grants attackers full access to accounts by knowing just the email ID of a user.

Patchstack initially reported these vulnerabilities in version 4.3.3 of RealHomes several months ago. Despite three updates to the theme and plugin since then, the vendor has not released a patch to address these issues.

There is no resolution, leaving affected websites at risk. Patchstack customers, however, are protected through their proactive vulnerability management system.

Until a patch is issued, website owners are strongly advised to take immediate measures:

1. Disable Both the RealHomes Theme and Easy Real Estate Plugin
   Temporarily deactivate these assets on your website to eliminate the risk of exploitation.
2. Monitor Website Activity for Suspicious Behavior
   Check for unauthorized user accounts or unusual administrative activity on your WordPress dashboard.
3. Implement Plugin Security Solutions
   Use security plugins like Wordfence or Patchstack to mitigate potential vulnerabilities temporarily.
4. Restrict User Registration
   If user registration is enabled, disable it until the vulnerabilities are patched.

This incident underscores the importance of secure coding practices. Developers should rigorously validate user input and implement proper authentication mechanisms.

Functions like wp_set_auth_cookie() and wp_insert_user() should never rely on untrusted input from external sources. For instance, the inclusion of stricter role validation could mitigate privilege escalation risks:

if ( ! current_user_can( 'administrator' ) ) {
    wp_die( 'Unauthorized action.' );
}

The RealHomes theme and Easy Real Estate plugin vulnerabilities highlight the dangers of insecure coding practices in WordPress add-ons.

While website owners await a patch from the vendor, taking immediate action to disable these components and secure accounts is paramount.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar