WordPress users beware - these popular theme plugins have some major security issues

(Image credit: Pixabay)

Patchstack found two bugs in a WordPress theme and a plugin from InspiryThemes
The bugs were not addressed in three latest versions
Users are advised to disable the products or limit new account creation

A popular WordPress theme and plugin have been found carrying vulnerabilities that allow malicious actors to elevate their privileges to admin.

WordPress security researchers Patchstack revealed the theme and plugin in question are called RealHomes and Easy Real Estate, both designed by InspiryThemes, and designed to be used in the real estate industry. The vulnerabilities are tracked as CVE-2024-32444, and CVE-2024-32555, and both have a severity score of 9.8/10 - critical. Both flaws allow malicious actors to elevate their privileges to admin, gaining full control of the WordPress site, and allowing them to install, delete, or modify plugins, tamper with the content, exfiltrate sensitive data, and more.

Citing data from Envanto Market, Patchstack says RealHomes was purchased 32,600 times, suggesting that the attack landscape is quite large.

No response from InspiryThemes

Patchstack warned website admins to disable the resources immediately, since the bugs have been around for months and still have no patch in sight.

The researchers also claim they tried, on multiple occasions, to get in touch with InspiryThemes and warn them about the flaws. The company allegedly did not respond to their inquiries but has, in the meantime, released three new versions for the flawed software. In all three versions, the vulnerabilities were not addressed.

Since they are present in the newest versions as well, Patchstack urged users to disable the theme and plugin immediately, to mitigate potential risk of site takeover. Alternatively, admins could restrict user registration, since the bug cannot be exploited in an environment where new accounts cannot be generated.

Usually, when a bug is made public, threat actors start hunting for vulnerable websites, since they can easily be exploited.

WordPress plugins and themes continue to be one of the most popular targets for cybercriminals, given the website builder platform’s enormous popularity around the world.

Via BleepingComputer

Top WordPress plugins found to have some serious security flaws, so make sure you're protected
Here's a list of the best antivirus tools on offer
These are the best endpoint protection tools right now

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.