CVE-2024-13421
Published: 12 February 2025
Description
The Real Estate 7 WordPress theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.5.1. This is due to the plugin not properly restricting the roles allowed to be selected during registration. This makes it possible for unauthenticated attackers to register a new administrative user account.
Security Summary
CVE-2024-13421 is a privilege escalation vulnerability in the Real Estate 7 WordPress theme for WordPress, affecting all versions up to and including 3.5.1. The flaw arises because the theme fails to properly restrict the user roles that can be selected during account registration, allowing attackers to assign themselves elevated privileges.
Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no required privileges or user interaction, as reflected in its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Exploitation enables remote registration of a new administrative user account, granting full control over the WordPress site and potential compromise of confidentiality, integrity, and availability.
Advisories and mitigation guidance are available via the theme's changelog at https://contempothemes.com/changelog/, the ThemeForest product page at https://themeforest.net/item/wp-pro-real-estate-7-responsive-real-estate-wordpress-theme/12473778, and Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/a50b3304-d55b-487a-8137-d5083c704cf4?source=cve, which security practitioners should consult for patching details. The vulnerability is associated with CWE-266 (Incorrect Privilege Assignment).
Details
- CWE(s)