Cyber Resilience

CVE-2024-32555

Critical

Published: 21 January 2025

Published
21 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0024 47.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-32555 is a critical-severity Incorrect Privilege Assignment (CWE-266) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 47.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2024-32555 is an Incorrect Privilege Assignment vulnerability (CWE-266) in the Easy Real Estate WordPress plugin developed by InspiryThemes. This flaw enables privilege escalation and affects all versions of the easy-real-estate plugin up to and including 2.2.9.

The vulnerability carries a CVSS v3.1 base score of 9.8 (Critical), indicating it is exploitable over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N), and resulting in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H). Unauthenticated remote attackers can leverage this issue to escalate privileges within affected WordPress installations.

Patchstack's advisory (https://patchstack.com/database/Wordpress/Plugin/easy-real-estate/vulnerability/wordpress-easy-real-estate-plugin-2-2-6-privilege-escalation-vulnerability?_s_id=cve) documents the privilege escalation vulnerability, specifically highlighting it in version 2.2.6, and serves as a key reference for mitigation guidance.

EU & UK References

Vulnerability details

Incorrect Privilege Assignment vulnerability in InspiryThemes Easy Real Estate easy-real-estate allows Privilege Escalation.This issue affects Easy Real Estate: from n/a through <= 2.2.9.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Directly enables remote unauthenticated exploitation of a public-facing web app (WordPress plugin) for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-24971Shared CWE-266
CVE-2024-51888Shared CWE-266
CVE-2025-44655Shared CWE-266
CVE-2025-49388Shared CWE-266
CVE-2024-43333Shared CWE-266
CVE-2024-12470Shared CWE-266
CVE-2026-23550Shared CWE-266
CVE-2026-32520Shared CWE-266
CVE-2025-67953Shared CWE-266
CVE-2026-32519Shared CWE-266

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring identification, reporting, and timely remediation of the privilege escalation flaw in the Easy Real Estate plugin through patching.

prevent

Enforces least privilege to limit the impact and success of unauthorized privilege escalation attempts exploiting incorrect privilege assignment.

prevent

Requires enforcement of approved access control policies, preventing exploitation of incorrect privilege assignments in the plugin.

References