CVE-2025-1327 is a medium-severity vulnerability affecting the Homey WordPress theme developed by Fave Themes, specifically all versions up to and including 2.4.4. The vulnerability is classified as an Insecure Direct Object Reference (IDOR), corresponding to CWE-639, which arises from improper authorization validation on a user-controlled key parameter within the 'homey_delete_user_account' action. This flaw allows an authenticated attacker with at least Subscriber-level privileges to delete other users' accounts without proper authorization checks. The vulnerability does not require user interaction and can be exploited remotely over the network (AV:N), with low attack complexity (AC:L). The attacker must have some level of authenticated access (PR:L) but does not need elevated privileges beyond Subscriber. The impact is limited to integrity, as the vulnerability allows unauthorized deletion of user accounts, but does not affect confidentiality or availability. No known exploits are currently reported in the wild, and no official patches have been released as of the publication date (May 2, 2025). The vulnerability affects all versions of the Homey theme, which is a popular WordPress theme used primarily for real estate and rental listing websites. The lack of validation on the user-controlled key parameter means that an attacker can manipulate the request to target arbitrary user accounts for deletion, potentially disrupting user access and causing administrative overhead to restore accounts and data. Given the nature of WordPress themes, this vulnerability is exploitable on any WordPress site using the affected Homey theme versions, making it a widespread risk for sites that have not updated or mitigated the issue.

For European organizations, the impact of CVE-2025-1327 can be significant, particularly for businesses relying on WordPress sites with the Homey theme for real estate, rental, or property management services. Unauthorized deletion of user accounts can lead to loss of user data, disruption of service, and damage to reputation. Although the vulnerability does not directly compromise confidentiality or availability, the integrity breach can result in operational disruptions, loss of customer trust, and potential regulatory scrutiny under GDPR if personal data associated with deleted accounts is mishandled or lost. Organizations with high user interaction or membership-based services are at higher risk. Additionally, the need for authenticated access means that attackers must first compromise or register accounts, which could be easier for sites with open registration or weak user verification. The absence of known exploits reduces immediate risk but does not eliminate the threat, as attackers may develop exploits rapidly once the vulnerability is public. The medium CVSS score reflects moderate risk but should not lead to complacency given the potential for targeted attacks against user management systems.

1. Immediate mitigation should include restricting or disabling the 'homey_delete_user_account' action if possible via custom code or security plugins until an official patch is available. 2. Implement strict access controls and monitoring on user account deletion functions, including logging and alerting on deletion attempts. 3. Enforce multi-factor authentication (MFA) for all user accounts to reduce the risk of account takeover by attackers seeking Subscriber-level access. 4. Review and tighten user registration policies to prevent unauthorized account creation that could be leveraged for exploitation. 5. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the vulnerable parameter. 6. Regularly back up user data and site configurations to enable rapid recovery from unauthorized deletions. 7. Monitor WordPress theme updates from Fave Themes and apply patches promptly once released. 8. Conduct security audits and penetration testing focused on authorization controls within WordPress themes and plugins to identify similar weaknesses proactively.