CVE-2024-32444
published 2025-09-03CVE-2024-32444: Incorrect Privilege Assignment vulnerability in InspiryThemes RealHomes realhomes allows Privilege Escalation.This issue affects RealHomes: from n/a through <=…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.65%
46.4th percentile
Incorrect Privilege Assignment vulnerability in InspiryThemes RealHomes realhomes allows Privilege Escalation.This issue affects RealHomes: from n/a through <= 4.3.6.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| inspirythemes | realhomes | < 4.3.7 | 4.3.7 |
| inspirythemes | realhomes | <= 4.3.6 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit targets the `inspiry_ajax_register` function in the RealHomes theme; monitor HTTP requests to this function for unexpected or attacker-controlled `role` parameters set to 'Administrator'. ↗
- →Detect unauthenticated POST requests to the WordPress registration endpoint that include a role field set to 'Administrator', which is the exploitation pattern for CVE-2024-32444. ↗
- →Alert on new WordPress user accounts created with Administrator role when originating from unauthenticated sessions on sites running RealHomes <= 4.3.6. ↗
- ·The vulnerability is only exploitable if user registration is enabled on the WordPress site. Sites with registration disabled are not directly vulnerable to unauthenticated account creation via this vector. ↗
- ·No patch is available as of disclosure; the vendor released three versions since September 2024 without addressing this issue. All RealHomes versions through 4.3.6 remain vulnerable. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
2025-09-03
Published