Cyber Posture

CVE-2024-13421

Critical

Published: 12 February 2025

Published
12 February 2025
Modified
25 February 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0024 46.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13421 is a critical-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Contempothemes Real Estate 7. Its CVSS base score is 9.8 (Critical).

Operationally, ranked at the 46.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-2 Account Management good match
prevent

Requires defined processes for account creation and privilege assignment, directly preventing unauthenticated attackers from registering administrative accounts with elevated roles.

AC-6 Least Privilege good match
prevent

Enforces least privilege by ensuring new user accounts receive only necessary access rights, blocking incorrect assignment of administrative privileges during registration.

SI-2 Flaw Remediation good match
prevent

Mandates timely remediation of identified flaws, such as patching the Real Estate 7 theme to restrict selectable roles during user registration.

NVD Description

The Real Estate 7 WordPress theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.5.1. This is due to the plugin not properly restricting the roles allowed to be selected during registration. This makes…

more

it possible for unauthenticated attackers to register a new administrative user account.

Deeper analysisAI

CVE-2024-13421 is a privilege escalation vulnerability in the Real Estate 7 WordPress theme for WordPress, affecting all versions up to and including 3.5.1. The flaw arises because the theme fails to properly restrict the user roles that can be selected during account registration, allowing attackers to assign themselves elevated privileges.

Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no required privileges or user interaction, as reflected in its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Exploitation enables remote registration of a new administrative user account, granting full control over the WordPress site and potential compromise of confidentiality, integrity, and availability.

Advisories and mitigation guidance are available via the theme's changelog at https://contempothemes.com/changelog/, the ThemeForest product page at https://themeforest.net/item/wp-pro-real-estate-7-responsive-real-estate-wordpress-theme/12473778, and Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/a50b3304-d55b-487a-8137-d5083c704cf4?source=cve, which security practitioners should consult for patching details. The vulnerability is associated with CWE-266 (Incorrect Privilege Assignment).

Details

CWE(s)
CWE-266NVD-CWE-noinfo

Affected Products

contempothemes
real estate 7
≤ 3.5.2

CVEs Like This One

CVE-2024-13251Shared CWE-266
CVE-2026-27102Shared CWE-266
CVE-2024-12470Shared CWE-266
CVE-2025-69293Shared CWE-266
CVE-2024-32444Shared CWE-266
CVE-2026-25414Shared CWE-266
CVE-2026-22907Shared CWE-266
CVE-2026-32520Shared CWE-266
CVE-2025-31643Shared CWE-266
CVE-2024-43333Shared CWE-266

References