CVE-2025-1327: CWE-639 Authorization Bypass Through User-Controlled Key in Fave Themes Homey
The Homey theme for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.4 via the 'homey_delete_user_account' action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete other user's accounts.
AI Analysis
Technical Summary
The Homey WordPress theme suffers from an authorization bypass vulnerability (CWE-639) in the 'homey_delete_user_account' action. The vulnerability arises because the theme fails to validate a user-controlled key, enabling authenticated attackers with at least Subscriber privileges to delete accounts of other users. This insecure direct object reference can lead to unauthorized account deletions. The issue affects all versions up to 2.4.4. The CVSS 3.1 base score is 4.3 (medium), reflecting the limited impact on integrity and no impact on confidentiality or availability. No patch or remediation information is currently provided by the vendor.
Potential Impact
An attacker with Subscriber-level or higher access can delete other users' accounts due to improper authorization checks. This compromises the integrity of user account data but does not affect confidentiality or availability. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict user roles and permissions to trusted users only and monitor for suspicious account deletion activity. Avoid granting Subscriber or higher privileges to untrusted users. Follow vendor updates for an official fix.
CVE-2025-1327: CWE-639 Authorization Bypass Through User-Controlled Key in Fave Themes Homey
Description
The Homey theme for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.4 via the 'homey_delete_user_account' action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete other user's accounts.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Homey WordPress theme suffers from an authorization bypass vulnerability (CWE-639) in the 'homey_delete_user_account' action. The vulnerability arises because the theme fails to validate a user-controlled key, enabling authenticated attackers with at least Subscriber privileges to delete accounts of other users. This insecure direct object reference can lead to unauthorized account deletions. The issue affects all versions up to 2.4.4. The CVSS 3.1 base score is 4.3 (medium), reflecting the limited impact on integrity and no impact on confidentiality or availability. No patch or remediation information is currently provided by the vendor.
Potential Impact
An attacker with Subscriber-level or higher access can delete other users' accounts due to improper authorization checks. This compromises the integrity of user account data but does not affect confidentiality or availability. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict user roles and permissions to trusted users only and monitor for suspicious account deletion activity. Avoid granting Subscriber or higher privileges to untrusted users. Follow vendor updates for an official fix.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-02-14T23:56:28.612Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9838c4522896dcbec08a
Added to database: 5/21/2025, 9:09:12 AM
Last enriched: 4/9/2026, 5:00:54 PM
Last updated: 5/10/2026, 8:05:09 AM
Views: 94
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.