CVE-2024-12281: Homey <= 2.4.2 - Unauthenticated Privilege Escalation in homey_save_profile
First published: Wed Mar 05 2025(Updated: )
The Homey theme for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.4.2. This is due to the plugin allowing users who are registering new accounts to set their own role. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the Editor or Shop Manager role.
Credit: security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Homey Homey Pro | <=2.4.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-12281?
CVE-2024-12281 is considered a high severity vulnerability due to its potential for privilege escalation.
How do I fix CVE-2024-12281?
To fix CVE-2024-12281, update the Homey theme to version 2.4.3 or later.
Who is affected by CVE-2024-12281?
All users of the Homey theme for WordPress up to and including version 2.4.2 are affected by CVE-2024-12281.
Can unauthenticated users exploit CVE-2024-12281?
Yes, unauthenticated users can exploit CVE-2024-12281 to gain elevated privileges by setting their own user role.
What type of vulnerability is CVE-2024-12281?
CVE-2024-12281 is a privilege escalation vulnerability allowing unauthorized users to gain higher-level access.
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/title
- agent/weakness
- agent/description
- agent/first-publish-date
- agent/type
- agent/guess-ai
- agent/software-canonical-lookup
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/author
- agent/last-modified-date
- agent/source
- agent/severity
- agent/tags
- agent/event
- vendor/homey
- canonical/homey homey pro