Platform
wordpress
Component
homey-login-register
Fixed in
2.4.1
CVE-2024-11951 represents a critical privilege escalation vulnerability discovered in the Homey Login Register plugin for WordPress. This flaw allows unauthenticated attackers to elevate their privileges to the administrator role during the account registration process. The vulnerability affects versions of the plugin up to and including 2.4.0. A fix is available in a subsequent version (check vendor advisory).
The impact of CVE-2024-11951 is severe. Successful exploitation allows an attacker to bypass standard authentication and authorization mechanisms, directly gaining administrator access to the WordPress site. This grants complete control over the website, including the ability to modify content, install malicious plugins, steal sensitive data (user credentials, database information), and potentially compromise the entire server infrastructure. The ease of exploitation, requiring only the creation of a new account, significantly increases the risk of widespread attacks targeting vulnerable WordPress installations.
CVE-2024-11951 was publicly disclosed on 2025-03-05. While no active exploitation campaigns have been definitively linked to this CVE as of this writing, the ease of exploitation and the critical severity suggest a high probability of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is likely to emerge given the vulnerability's nature.
Exploit Status
EPSS
0.48% (65% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-11951 is to immediately upgrade the Homey Login Register plugin to a version that addresses the vulnerability. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent new account registrations. While not a complete solution, implementing strict user role management policies within WordPress can limit the potential damage if the vulnerability is exploited. Monitor WordPress logs for suspicious account creation activity. After upgrading, confirm the fix by attempting to create a new user account and verifying that the role assignment is restricted to authorized users.
Update the Homey Login Register plugin to the latest available version. This will fix the privilege escalation vulnerability that allows unauthenticated users to obtain administrator access.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-11951 is a critical vulnerability in the Homey Login Register WordPress plugin allowing attackers to gain administrator privileges during account registration.
You are affected if your WordPress site uses the Homey Login Register plugin version 2.4.0 or earlier. Check your plugin versions immediately.
Upgrade the Homey Login Register plugin to the latest available version that addresses the vulnerability. If upgrading is not possible, temporarily disable the plugin.
While no active exploitation campaigns have been confirmed, the vulnerability's severity and ease of exploitation suggest a high likelihood of future exploitation.
Refer to the official Homey Login Register plugin website or the WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.