Privilege Escalation Vulnerability in Homey Theme for WordPress
CVE-2024-12281

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Homey
Vendor: CVE Published:; 5 March 2025

Summary

The Homey Theme for WordPress is susceptible to a privilege escalation vulnerability that allows unauthorized users to elevate their permissions. This issue arises from the theme permitting new account registrants to assign roles such as Editor or Shop Manager without proper validation. As a result, unauthenticated attackers can exploit this weakness by creating an account with elevated privileges, potentially gaining control over critical functionalities of the site.

Affected Version(s)

Homey * <= 2.4.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://themeforest.net/item/homey-booking-wordpress-them...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 5, 2025
Vulnerability Reserved
Dec 5, 2024

Credit

Tonn