RealHome theme and Easy Real Estate plugin… security risk

So I just saw that the RealHome theme and Easy Real Estate plugin for WordPress have some major security issues. Apparently, they let unauthenticated users gain admin access, which sounds really bad.

Patchstack discovered these flaws back in September 2024, but the company behind them (InspiryThemes) hasn’t responded or fixed them, even though they’ve released three updates since then.

If you’re using these on your real estate website, it looks like you’re at risk. Has anyone found a way to protect their site while waiting for a fix?

That’s pretty scary. I use RealHome on a couple of client sites. Are there any temporary fixes?

Jay said:
That’s pretty scary. I use RealHome on a couple of client sites. Are there any temporary fixes?

From what I read, Patchstack warned about it but no official patch yet. Maybe disabling user registration can help?

@Flint
Yeah, disabling registration might stop attackers from making new admin accounts. But if there’s another way in, it won’t fix everything.

I don’t get it… how does this vulnerability actually work?

Milan said:
I don’t get it… how does this vulnerability actually work?

Basically, there’s a function in the theme that lets people register new accounts. The problem is, it doesn’t check permissions properly. Hackers can use it to make themselves admins.

@Flint
So if someone finds a site with this theme and registration enabled, they can just sign up as an admin?

Jamie said:
@Flint
So if someone finds a site with this theme and registration enabled, they can just sign up as an admin?

Yep, that’s the issue. If the site allows new users to register, an attacker can send a special request and set their role as admin.

Does this affect all versions of RealHome and Easy Real Estate, or just recent ones?

Riley said:
Does this affect all versions of RealHome and Easy Real Estate, or just recent ones?

Not sure, but it looks like it affects all versions still being used since there hasn’t been a fix yet.

@Flint
If they haven’t fixed it after multiple updates, I wouldn’t expect them to fix it anytime soon.

What’s the best way to protect a site if I can’t switch themes right now?

Uma said:
What’s the best way to protect a site if I can’t switch themes right now?

At the very least, disable new user registration and monitor your site for any suspicious activity. You might also want to use a security plugin like Wordfence.

@Flint
I’d also recommend setting up 2FA for admin accounts just in case.

Gray said:
@Flint
I’d also recommend setting up 2FA for admin accounts just in case.

That makes sense. Guess I should start looking for alternative themes too.

InspiryThemes not responding is a bad sign. I’d be worried about using their stuff in the future.

Layne said:
InspiryThemes not responding is a bad sign. I’d be worried about using their stuff in the future.

Yeah, ignoring security flaws is a big red flag. If they don’t patch this, who knows what other issues they’ll ignore?

@Flint
At this point, it’s probably safer to move to a different theme. No point waiting for a fix that might never come.