Privilege Escalation in Homey Login Register Plugin for WordPress
CVE-2024-11951

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Homey Login Register
Vendor: CVE Published:; 5 March 2025

What is CVE-2024-11951?

The Homey Login Register plugin for WordPress presents a vulnerability that permits unauthenticated users to exploit the account registration process. Specifically, the plugin allows new users to set their own user roles, including the ability to register as an administrator. This flaw can lead to unauthorized privilege escalation, enabling attackers to gain administrative access to the WordPress site and potentially compromising site security and data integrity.

Affected Version(s)

Homey Login Register * <= 2.4.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://themeforest.net/item/homey-booking-wordpress-them...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 5, 2025
Vulnerability Reserved
Nov 27, 2024

Credit

Tonn

JSON