Patchstack found two bugs in a WordPress theme and a plugin from InspiryThemes

The bugs were not addressed in three latest versions

Users are advised to disable the products or limit new account creation

A popular WordPress theme and plugin have been found carrying vulnerabilities that allow malicious actors to elevate their privileges to admin.

WordPress security researchers Patchstack revealed the theme and plugin in question are called RealHomes and Easy Real Estate, both designed by InspiryThemes, and designed to be used in the real estate industry. The vulnerabilities are tracked as CVE-2024-32444, and CVE-2024-32555, and both have a severity score of 9.8/10 - critical. Both flaws allow malicious actors to elevate their privileges to admin, gaining full control of the WordPress site, and allowing them to install, delete, or modify plugins, tamper with the content, exfiltrate sensitive data, and more.

Citing data from Envanto Market, Patchstack says RealHomes was purchased 32,600 times, suggesting that the attack landscape is quite large.

No response from InspiryThemes

Patchstack warned website admins to disable the resources immediately, since the bugs have been around for months and still have no patch in sight.

The researchers also claim they tried, on multiple occasions, to get in touch with InspiryThemes and warn them about the flaws. The company allegedly did not respond to their inquiries but has, in the meantime, released three new versions for the flawed software. In all three versions, the vulnerabilities were not addressed.

Since they are present in the newest versions as well, Patchstack urged users to disable the theme and plugin immediately, to mitigate potential risk of site takeover. Alternatively, admins could restrict user registration, since the bug cannot be exploited in an environment where new accounts cannot be generated.

Usually, when a bug is made public, threat actors start hunting for vulnerable websites, since they can easily be exploited.

WordPress plugins and themes continue to be one of the most popular targets for cybercriminals, given the website builder platform’s enormous popularity around the world.

Via BleepingComputer