Critical WordPress vulnerabilities in RealHome theme and Easy Real Estate plugin allow attackers admin access. Learn how to secure your site now

Continue reading
Two critical vulnerabilities in the widely used RealHome theme and Easy Real Estate plugin for WordPress threaten thousands of real estate websites. Tracked as CVE-2024-32444 and CVE-2024-32555, these flaws allow unauthenticated attackers to gain administrator-level access, exposing sites to severe security risks. Despite these issues being discovered in September 2024, the vulnerabilities remain unpatched, making them exploitable by threat actors.
The RealHome theme and Easy Real Estate plugin, designed to streamline the creation and management of real estate websites, enjoy massive popularity. According to Envato Market data, the RealHome theme alone powers 32,600 websites globally. However, these very tools have now become potential gateways for attackers due to security flaws.
A critical flaw in the RealHome theme, identified as CVE-2024-32444 with a CVSS score of 9.8, results from an unauthenticated privilege escalation issue. This vulnerability lies in the inspiry\_ajax\_register function, which facilitates account registrations. The function fails to validate requests properly or check for authorization using a nonce. Consequently, attackers can exploit this loophole by crafting malicious HTTP requests, assigning themselves the "Administrator" role during the registration process.
Once an attacker gains administrator privileges, they can:
The flaw in the Easy Real Estate plugin, tracked as CVE-2024-32555 with the same CVSS score of 9.8, arises from its social login feature. This feature enables users to log in with their email address but does not verify whether the email belongs to the individual logging in. If attackers know an administrator’s email address, they can bypass the need for a password and gain direct access to the site.
Exploiting this vulnerability offers attackers similar powers as with CVE-2024-32444:
The vulnerabilities were first reported by security researchers at Patchstack in September 2024. Despite multiple attempts to contact the developer, InspiryThemes, the vendor has failed to respond. Over the past few months, InspiryThemes has released three updates for their products but has not addressed these critical issues.
This lack of action leaves websites using the RealHome theme and Easy Real Estate plugin in a high-risk state, with administrators unable to protect themselves through conventional updates.
Given that no patches are currently available, website administrators are urged to take the following immediate steps to mitigate the risk:
As the vulnerabilities are now public knowledge, threat actors are likely to actively scan for vulnerable websites. Unprotected sites risk being compromised, leading to significant damage to business reputation, loss of sensitive data, and legal repercussions.
This incident highlights the importance of regular updates and proactive communication from theme and plugin developers. Administrators should expect developers to provide timely updates addressing critical vulnerabilities, clear documentation on fixes, and regular communication about potential risks and planned security enhancements. Without these measures, website security remains uncertain and prone to exploitation. Website administrators are reminded to:
The RealHome theme and Easy Real Estate plugin vulnerabilities serve as a wake-up call for WordPress website owners. Act now to secure your sites by disabling these tools, restricting user registration, and monitoring activity. Taking these immediate steps can prevent catastrophic consequences and safeguard your data. Without immediate action, websites could fall victim to unauthenticated privilege escalations, causing catastrophic consequences. Until InspiryThemes addresses these critical issues, disabling the affected tools and implementing the recommended mitigations is the only way to ensure safety.
For more updates on WordPress vulnerabilities and cybersecurity best practices, stay tuned. Your website's security is only as strong as its weakest link.

Splunk disclosed CVE-2026-20253, a critical pre-auth RCE flaw in Splunk Enterprise (CVSS 9.8) from insecure MongoDB defaults. Patches released; upgrade to 9.1.8, 9.2.5, or 9.3.2.