Plattform
wordpress
Komponente
homey
Behoben in
2.4.3
CVE-2024-12281 represents a privilege escalation vulnerability within the Homey WordPress plugin. This flaw allows unauthenticated attackers to bypass intended access controls and gain elevated privileges. The vulnerability impacts versions of Homey up to and including 2.4.2. A fix is available via plugin update.
The core of this vulnerability lies in the plugin's account registration process. Homey, in vulnerable versions, permits newly registered users to self-assign roles, including those with significant administrative capabilities like Editor or Shop Manager. An attacker can exploit this by creating a new account and immediately assigning themselves a privileged role, effectively bypassing standard WordPress user access controls. This grants them the ability to modify content, manage users, and potentially compromise the entire WordPress site, depending on the permissions associated with the assigned role. The blast radius extends to any data accessible by the elevated user, including sensitive information stored within the WordPress database or accessible through plugins.
CVE-2024-12281 was publicly disclosed on 2025-03-05. While no public proof-of-concept (PoC) code has been released, the ease of exploitation makes it a likely target for opportunistic attackers. The vulnerability's criticality (CVSS 9.8) and ease of exploitation suggest a medium probability of exploitation. It is not currently listed on the CISA KEV catalog.
Websites utilizing the Homey plugin, particularly those with open user registration enabled, are at significant risk. Shared hosting environments where multiple WordPress sites share the same server resources are also vulnerable, as a compromise on one site could potentially lead to lateral movement and compromise other sites using the vulnerable plugin.
• wordpress / composer / npm:
grep -r 'wp_set_role\(\"$wp_user->roles\",' /var/www/html/wp-content/plugins/homey/*• wordpress / composer / npm:
wp plugin list --status=active | grep homey• wordpress / composer / npm:
wp plugin update homey --alldisclosure
Exploit-Status
EPSS
0.48% (65% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-12281 is to immediately update the Homey plugin to a version that addresses the vulnerability. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider temporarily restricting user registration roles to prevent new accounts from being created with elevated privileges. WordPress administrators can also implement a Web Application Firewall (WAF) rule to block requests attempting to assign privileged roles during account creation. Regularly review user roles and permissions to identify and remove any unauthorized elevated accounts. After upgrading, confirm the fix by attempting to create a new user account and verifying that role assignment is restricted.
Aktualisieren Sie das Homey-Theme auf die neueste verfügbare Version. Dies behebt die Privilegienerweiterungsvulnerabilität, die es nicht authentifizierten Benutzern ermöglicht, Editor- oder Shop Manager-Rollen zu erhalten.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-12281 is a critical vulnerability in the Homey WordPress plugin allowing attackers to gain elevated privileges by creating accounts with Editor or Shop Manager roles.
If you are using Homey plugin versions ≤2.4.2, you are affected by this vulnerability. Check your plugin version and update immediately.
Update the Homey plugin to the latest version available. If upgrading is not immediately possible, restrict user registration roles as a temporary workaround.
While no public exploits are currently known, the vulnerability's criticality and ease of exploitation suggest a medium probability of exploitation.
Refer to the plugin developer's website or the WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.