cbcvebase.
CVE-2024-32444
published 2025-09-03

CVE-2024-32444: Incorrect Privilege Assignment vulnerability in InspiryThemes RealHomes realhomes allows Privilege Escalation.This issue affects RealHomes: from n/a through <=…

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.65%
46.4th percentile
Incorrect Privilege Assignment vulnerability in InspiryThemes RealHomes realhomes allows Privilege Escalation.This issue affects RealHomes: from n/a through <= 4.3.6.

Affected

2 ranges
VendorProductVersion rangeFixed in
inspirythemesrealhomes< 4.3.74.3.7
inspirythemesrealhomes<= 4.3.6

Detection & IOCsextracted from sources · hover to see the quote

  • Exploit targets the `inspiry_ajax_register` function in the RealHomes theme; monitor HTTP requests to this function for unexpected or attacker-controlled `role` parameters set to 'Administrator'.
  • Detect unauthenticated POST requests to the WordPress registration endpoint that include a role field set to 'Administrator', which is the exploitation pattern for CVE-2024-32444.
  • Alert on new WordPress user accounts created with Administrator role when originating from unauthenticated sessions on sites running RealHomes <= 4.3.6.
  • ·The vulnerability is only exploitable if user registration is enabled on the WordPress site. Sites with registration disabled are not directly vulnerable to unauthenticated account creation via this vector.
  • ·No patch is available as of disclosure; the vendor released three versions since September 2024 without addressing this issue. All RealHomes versions through 4.3.6 remain vulnerable.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.