CVE-2024-13421: 
WordPress vulnerability analysis and mitigation

CVE-2024-13421 is a critical privilege escalation vulnerability discovered in the Real Estate 7 WordPress theme, affecting all versions up to and including 3.5.1. The vulnerability was publicly disclosed on February 11, 2025, and received a CVSS score of 9.8 (Critical). The issue stems from the theme's failure to properly restrict the roles that can be selected during the user registration process (TheSecMaster).

The vulnerability exists due to improper role restriction during user registration, allowing unauthenticated attackers to bypass the intended role assignment restrictions. The theme does not adequately validate and sanitize the user-supplied role during registration, enabling attackers to create administrative user accounts without proper authorization (TheSecMaster, Wordfence).

The impact of this vulnerability is severe, potentially leading to complete compromise of affected WordPress sites. Once exploited, attackers can gain full administrative access, allowing them to modify site content, install or remove plugins and themes, access sensitive information including user data and database credentials, deface the website, and potentially use the compromised site to launch further attacks (TheSecMaster).

The primary mitigation is to update the Real Estate 7 theme to a version newer than 3.5.1. The vulnerability has been patched in version 3.5.3, released on February 23, 2025. Site administrators should immediately check their theme version and update if running a vulnerable version (Contempo Changelog).