Description
Two critical zero-day vulnerabilities have been discovered in WordPress products widely used in real estate websites: the RealHome theme and the Easy Real Estate plugin. These vulnerabilities allow unauthenticated attackers to escalate their privileges to administrative levels, granting them full control of the affected WordPress websites. The flaws, tracked as CVE-2024-32444 (RealHome) and CVE-2024-32555 (Easy Real Estate), were first identified by researchers at Patchstack in September 2024. Despite multiple efforts to contact the vendor, InspiryThemes, no security fixes have been implemented in subsequent updates. The issues remain unpatched and exploitable, posing a serious threat to thousands of websites. The RealHome theme alone is estimated to be active on over 32,600 websites, making this vulnerability a significant risk for site owners and their visitors.
Attack Details
Attackers exploit iMessage’s built-in phishing protection by persuading users to reply to messages from unknown senders. These messages, often disguised as urgent notifications from reputable entities such as shipping companies or government agencies, claim issues like unpaid tolls or delivery problems. They instruct recipients to reply with specific keywords, such as “Y,” which re-enables disabled links and bypasses Apple’s protections. By manipulating human behavior leveraging familiarity with responses like “Yes” or “No”, attackers increase the likelihood of user compliance. Once a user replies, they not only enable potentially malicious links but also signal that they are an active target, opening the door to follow-up attacks.
Remediation
Since there are no security patches to address these vulnerabilities, website owners must take immediate steps to mitigate the risk:
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: Critical Zero-Day Vulnerabilities Impact WordPress Real Estate Plugins
References