CVE-2024-12281

CVE-2024-12281 is a privilege escalation vulnerability in the Homey theme for WordPress, affecting all versions up to and including 2.4.2. The flaw stems from the theme permitting users registering new accounts to arbitrarily set their own role, such as Administrator, Editor, or Shop Manager, which bypasses standard WordPress user role assignment controls. Published on 2025-03-05, it is mapped to CWE-269 (Improper Privilege Management) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction. By submitting a registration request with a self-assigned elevated role, they can create an account granting full administrative access or equivalent privileges, potentially allowing full site compromise including data exfiltration, content modification, or further malware deployment.

Advisories provide further details on the issue, including the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/3b93c33c-4ab1-48a2-b84d-3cb38ccea829?source=cve and the theme's listing on ThemeForest at https://themeforest.net/item/homey-booking-wordpress-theme/23338013. Security practitioners should consult these for patch availability and remediation guidance.