Plattform
wordpress
Komponente
homey-login-register
Behoben in
2.4.1
CVE-2024-11951 represents a critical privilege escalation vulnerability discovered in the Homey Login Register plugin for WordPress. This flaw allows unauthenticated attackers to elevate their privileges to the administrator role during the account registration process. The vulnerability affects versions of the plugin up to and including 2.4.0. A fix is available in a subsequent version (check vendor advisory).
The impact of this vulnerability is severe. An attacker exploiting CVE-2024-11951 can bypass standard authentication mechanisms and gain full administrative control over the WordPress site. This grants them the ability to modify content, install malicious plugins, access sensitive data, and potentially compromise the entire system. The ease of exploitation—simply creating a new user account—significantly increases the risk, particularly for sites with limited security hardening or those relying solely on the plugin's default configuration. This vulnerability mirrors the impact of other privilege escalation flaws where attackers can gain unauthorized administrative access.
CVE-2024-11951 was publicly disclosed on 2025-03-05. Currently, there are no known public proof-of-concept exploits available. The vulnerability's ease of exploitation and the widespread use of WordPress plugins suggest a potential for exploitation in the future. Its inclusion in the NVD is pending, and no CISA KEV listing exists as of this writing.
WordPress websites utilizing the Homey Login Register plugin, particularly those with limited security hardening or outdated plugin versions, are at significant risk. Shared hosting environments where plugin updates are not consistently managed are also particularly vulnerable. Sites relying on this plugin for user registration without robust role-based access controls face the highest exposure.
• wordpress / composer / npm:
grep -r 'wp_set_current_user' /var/www/html/wp-content/plugins/homey-login-register/• wordpress / composer / npm:
wp plugin list --status=all | grep 'homey-login-register'• wordpress / composer / npm:
wp plugin update homey-login-register --alldisclosure
Exploit-Status
EPSS
0.48% (65% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-11951 is to upgrade the Homey Login Register plugin to a version that addresses the vulnerability. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent new account creation. As a short-term workaround, restrict user registration to only trusted sources or implement a manual approval process for new accounts. Monitor WordPress logs for suspicious account creation attempts. There are no specific Sigma or YARA rules available at this time, but monitoring for unusual user role assignments is recommended.
Aktualisieren Sie das Homey Login Register Plugin auf die neueste verfügbare Version. Dies behebt die Privilege Escalation-Schwachstelle, die es nicht authentifizierten Benutzern ermöglicht, Administratorzugriff zu erhalten.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-11951 is a critical vulnerability in the Homey Login Register WordPress plugin allowing attackers to gain administrator privileges during account registration.
You are affected if your WordPress site uses the Homey Login Register plugin version 2.4.0 or earlier. Check your plugin versions immediately.
Upgrade the Homey Login Register plugin to the latest available version that addresses the vulnerability. If upgrading is not possible, temporarily disable the plugin.
While no active exploitation campaigns have been confirmed, the vulnerability's severity and ease of exploitation suggest a high likelihood of future exploitation.
Refer to the official Homey Login Register plugin website or the WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.