Authentication Bypass in Homey Theme for WordPress
CVE-2025-0749

8.1HIGH

Key Information:

Vendor: WordPress
Status: Homey
Vendor: CVE Published:; 7 March 2025

Summary

The Homey theme for WordPress is susceptible to an authentication bypass that affects versions up to and including 2.4.3. This vulnerability arises from the 'verification_id' field being left empty, and the absence of a proper check on this field in the dashboard user profile section. Consequently, this can allow unauthenticated attackers to gain access to the first verified user's account, presenting serious security risks for site owners.

Affected Version(s)

Homey * <= 2.4.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://favethemes.zendesk.com/hc/en-us/articles/44077211...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 7, 2025
Vulnerability Reserved
Jan 27, 2025

Credit

István Márton