CVE-2024-51800: 
WordPress vulnerability analysis and mitigation

The Homey WordPress theme contains a privilege escalation vulnerability (CVE-2024-51800) that affects all versions up to and including 2.4.1. The vulnerability was discovered by security researcher Ayoub Nouri and was publicly disclosed on January 13, 2025. This security flaw allows authenticated users with Subscriber-level access or higher to elevate their privileges to administrator level (WPScan, Patchstack).

The vulnerability is classified as an Incorrect Privilege Assignment (CWE-266) with a CVSS v3.1 score of 9.8 (Critical), indicating the highest severity level. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, which suggests that the vulnerability can be exploited over the network, requires low attack complexity, needs no privileges, and can result in high impacts to confidentiality, integrity, and availability (NVD, Patchstack).

The vulnerability allows authenticated attackers to escalate their privileges to administrator level, potentially gaining full control over the affected WordPress website. This level of access could enable attackers to modify website content, install malicious plugins, access sensitive information, and perform any administrative actions on the compromised site (Patchstack).

Currently, there is no official fix available for this vulnerability. Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to implement the virtual patch immediately or consider temporarily disabling the theme (Patchstack).