Platform
wordpress
Component
homey
Fixed in
2.4.3
CVE-2024-12281 represents a privilege escalation vulnerability within the Homey WordPress plugin. This flaw allows unauthenticated attackers to bypass intended access controls and gain elevated privileges. The vulnerability impacts versions of Homey up to and including 2.4.2. A fix is available via plugin update.
The core of this vulnerability lies in the plugin's account registration process. Homey, in vulnerable versions, permits newly registered users to self-assign roles, including those with significant administrative capabilities like Editor or Shop Manager. An attacker can exploit this by creating a new account and immediately assigning themselves a privileged role, effectively bypassing standard WordPress user access controls. This grants them the ability to modify content, manage users, and potentially compromise the entire WordPress site, depending on the permissions associated with the assigned role. The blast radius extends to any data accessible by the elevated user, including sensitive information stored within the WordPress database or accessible through plugins.
CVE-2024-12281 was publicly disclosed on 2025-03-05. While no public proof-of-concept (PoC) code has been released, the ease of exploitation makes it a likely target for opportunistic attackers. The vulnerability's criticality (CVSS 9.8) and ease of exploitation suggest a medium probability of exploitation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.48% (65% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-12281 is to immediately update the Homey plugin to a version that addresses the vulnerability. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider temporarily restricting user registration roles to prevent new accounts from being created with elevated privileges. WordPress administrators can also implement a Web Application Firewall (WAF) rule to block requests attempting to assign privileged roles during account creation. Regularly review user roles and permissions to identify and remove any unauthorized elevated accounts. After upgrading, confirm the fix by attempting to create a new user account and verifying that role assignment is restricted.
Update the Homey theme to the latest available version. This will fix the privilege escalation vulnerability that allows unauthenticated users to obtain Editor or Shop Manager roles.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-12281 is a critical vulnerability in the Homey WordPress plugin allowing attackers to gain elevated privileges by creating accounts with Editor or Shop Manager roles.
If you are using Homey plugin versions ≤2.4.2, you are affected by this vulnerability. Check your plugin version and update immediately.
Update the Homey plugin to the latest version available. If upgrading is not immediately possible, restrict user registration roles as a temporary workaround.
While no public exploits are currently known, the vulnerability's criticality and ease of exploitation suggest a medium probability of exploitation.
Refer to the plugin developer's website or the WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.