Cyber Resilience

CVE-2024-13421

Critical

Published: 12 February 2025

Published
12 February 2025
Modified
25 February 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0024 47.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13421 is a critical-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Contempothemes Real Estate 7. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).

Deeper analysis

CVE-2024-13421 is a privilege escalation vulnerability in the Real Estate 7 WordPress theme for WordPress, affecting all versions up to and including 3.5.1. The flaw arises because the theme fails to properly restrict the user roles that can be selected during account registration, allowing attackers to assign themselves elevated privileges.

Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no required privileges or user interaction, as reflected in its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Exploitation enables remote registration of a new administrative user account, granting full control over the WordPress site and potential compromise of confidentiality, integrity, and availability.

Advisories and mitigation guidance are available via the theme's changelog at https://contempothemes.com/changelog/, the ThemeForest product page at https://themeforest.net/item/wp-pro-real-estate-7-responsive-real-estate-wordpress-theme/12473778, and Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/a50b3304-d55b-487a-8137-d5083c704cf4?source=cve, which security practitioners should consult for patching details. The vulnerability is associated with CWE-266 (Incorrect Privilege Assignment).

EU & UK References

Vulnerability details

The Real Estate 7 WordPress theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.5.1. This is due to the plugin not properly restricting the roles allowed to be selected during registration. This makes…

more

it possible for unauthenticated attackers to register a new administrative user account.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct unauthenticated exploitation of public-facing WordPress app to create admin account (privilege escalation).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-24971Shared CWE-266
CVE-2024-51888Shared CWE-266
CVE-2025-44655Shared CWE-266
CVE-2025-49388Shared CWE-266
CVE-2024-43333Shared CWE-266
CVE-2024-12470Shared CWE-266
CVE-2026-23550Shared CWE-266
CVE-2026-32520Shared CWE-266
CVE-2025-67953Shared CWE-266
CVE-2024-32555Shared CWE-266

Affected Assets

contempothemes
real estate 7
≤ 3.5.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires defined processes for account creation and privilege assignment, directly preventing unauthenticated attackers from registering administrative accounts with elevated roles.

prevent

Enforces least privilege by ensuring new user accounts receive only necessary access rights, blocking incorrect assignment of administrative privileges during registration.

prevent

Mandates timely remediation of identified flaws, such as patching the Real Estate 7 theme to restrict selectable roles during user registration.

References