CVE-2024-32555

Critical

Published: 21 January 2025

Published

21 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0024 46.8th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-32555 is a critical-severity Incorrect Privilege Assignment (CWE-266) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, ranked at the 46.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the CVE by requiring identification, reporting, and timely remediation of the privilege escalation flaw in the Easy Real Estate plugin through patching.

AC-6 Least Privilege good match

prevent

Enforces least privilege to limit the impact and success of unauthorized privilege escalation attempts exploiting incorrect privilege assignment.

AC-3 Access Enforcement good match

prevent

Requires enforcement of approved access control policies, preventing exploitation of incorrect privilege assignments in the plugin.

NVD Description

Incorrect Privilege Assignment vulnerability in InspiryThemes Easy Real Estate easy-real-estate allows Privilege Escalation.This issue affects Easy Real Estate: from n/a through <= 2.2.9.

Deeper analysisAI

CVE-2024-32555 is an Incorrect Privilege Assignment vulnerability (CWE-266) in the Easy Real Estate WordPress plugin developed by InspiryThemes. This flaw enables privilege escalation and affects all versions of the easy-real-estate plugin up to and including 2.2.9.

The vulnerability carries a CVSS v3.1 base score of 9.8 (Critical), indicating it is exploitable over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N), and resulting in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H). Unauthenticated remote attackers can leverage this issue to escalate privileges within affected WordPress installations.

Patchstack's advisory (https://patchstack.com/database/Wordpress/Plugin/easy-real-estate/vulnerability/wordpress-easy-real-estate-plugin-2-2-6-privilege-escalation-vulnerability?_s_id=cve) documents the privilege escalation vulnerability, specifically highlighting it in version 2.2.6, and serves as a key reference for mitigation guidance.

Details

CWE(s): CWE-266

CVEs Like This One

CVE-2024-13251Shared CWE-266

CVE-2026-27102Shared CWE-266

CVE-2024-12470Shared CWE-266

CVE-2025-69293Shared CWE-266

CVE-2024-32444Shared CWE-266

CVE-2026-25414Shared CWE-266

CVE-2026-22907Shared CWE-266

CVE-2026-32520Shared CWE-266

CVE-2025-31643Shared CWE-266

CVE-2024-43333Shared CWE-266

References

https://patchstack.com/database/Wordpress/Plugin/easy-real-estate/vulnerability/wordpress-easy-real-estate-plugin-2-2-6-privilege-escalation-vulnerability?_s_id=cve
audit@patchstack.com