WordPress Real Estate Plugins Vulnerable to Admin Takeovers

Last updated January 27, 2025
Anosha Shariq
Writer

Anosha Shariq is a dedicated news writer at VPNRanks, specializing in VPN and online privacy. With a journalism background, she covers cybersecurity and tech trends. A passionate pet lover, she also supports animal welfare initiatives. Anosha aims to provide clear, insightful information on digital privacy and security.

See Full Bio >
written by
Anosha Shariq

Anosha Shariq
Writer

Anosha Shariq is a dedicated news writer at VPNRanks, specializing in VPN and online privacy. With a journalism background, she covers cybersecurity and tech trends. A passionate pet lover, she also supports animal welfare initiatives. Anosha aims to provide clear, insightful information on digital privacy and security.

See Full Bio >
Writer

San Francisco, CA – January 23, 2025-Critical vulnerabilities in WordPress real estate plugins RealHome and Easy Real Estate allow attackers to gain admin control. Disable now to stay protected.

Two critical zero-day vulnerabilities have been discovered in popular WordPress real estate plugins, threatening over 32,600 websites globally. The flaws, found in the RealHome theme and the Easy Real Estate plugin, allow unauthenticated attackers to escalate privileges and gain administrator-level control over affected websites.

Cybersecurity firm Patchstack identified the issues back in September 2024, reporting them to the vendor, InspiryThemes. However, despite releasing three updates since then, the vendor has failed to patch the vulnerabilities, leaving users exposed. A cybersecurity analyst said:

This lack of response is alarming. With a CVSS score of 9.8, these vulnerabilities pose a severe risk to WordPress users worldwide.

The Threats Explained

CVE-2024-32444: Found in the RealHome theme, this flaw exploits the inspiry_ajax_register function, allowing attackers to create administrator accounts without proper authorization checks.
CVE-2024-32555: In the Easy Real Estate plugin, the social login feature allows attackers to bypass password verification if they know an admin’s email address.

Once exploited, attackers can plant malware, manipulate content, or steal sensitive user data.

Urgent Mitigation Needed

Website administrators are urged to disable these plugins immediately and restrict user registrations to prevent unauthorized account creations. As the flaws are now public, threat actors are expected to exploit them aggressively.

This is a ticking time bomb for thousands of real estate websites.

Other News At VPNRanks

Hey, wait!

Stay informed on the latest privacy updates, cybersecurity insights, and internet freedom news by following VPNRanks news daily! As your primary resource for critical updates in online security, we ensure you’re always in the know. Make VPNRanks your go-to guide for safeguarding your digital life.