CVE-2024-11951: Homey Login Register <= 2.4.0 - Unauthenticated Privilege Escalation in homey_register
First published: Wed Mar 05 2025(Updated: )
The Homey Login Register plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.4.0. This is due to the plugin allowing users who are registering new accounts to set their own role. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the administrator role.
Credit: security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Homey Login Register | <=2.4.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-11951?
CVE-2024-11951 has a medium severity level due to its potential for privilege escalation.
How do I fix CVE-2024-11951?
To fix CVE-2024-11951, update the Homey Login Register plugin to version 2.4.1 or later.
Who is affected by CVE-2024-11951?
All users of the Homey Login Register plugin for WordPress up to and including version 2.4.0 are affected by CVE-2024-11951.
What type of vulnerability is CVE-2024-11951?
CVE-2024-11951 is a privilege escalation vulnerability that allows unauthorized role assignment.
Can CVE-2024-11951 be exploited by unauthenticated users?
Yes, CVE-2024-11951 can be exploited by unauthenticated users registering new accounts.
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/title
- agent/weakness
- agent/first-publish-date
- agent/description
- agent/type
- agent/guess-ai
- agent/software-canonical-lookup
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/author
- agent/last-modified-date
- agent/source
- agent/severity
- agent/tags
- agent/event
- vendor/homey
- canonical/homey login register