CVE-2025-1327 identifies an authorization bypass vulnerability in the Homey WordPress theme developed by Fave Themes, present in all versions up to and including 2.4.4. The flaw arises from an Insecure Direct Object Reference (IDOR) vulnerability classified under CWE-639, where the 'homey_delete_user_account' action fails to properly validate a user-controlled key parameter. This lack of validation allows authenticated users with Subscriber-level privileges or higher to delete other users' accounts arbitrarily. The vulnerability is exploitable remotely over the network without user interaction, requiring only authenticated access. The CVSS v3.1 score is 4.3 (medium severity), reflecting the limited impact on confidentiality and availability but a clear integrity risk due to unauthorized account deletions. No patches have been officially released, and no exploits have been observed in the wild. The vulnerability could be leveraged to disrupt user management, potentially causing denial of service for targeted users and undermining trust in affected WordPress sites. The issue highlights the importance of strict authorization checks on sensitive actions within web applications, especially those exposed to authenticated users with limited privileges.

The primary impact of CVE-2025-1327 is the unauthorized deletion of user accounts by attackers with minimal privileges (Subscriber-level or above). This compromises the integrity of user data and can disrupt normal operations by removing legitimate users, potentially causing denial of service for those users. While confidentiality and availability are not directly affected, the ability to delete accounts without proper authorization can lead to administrative overhead, loss of user trust, and potential exploitation in combination with other vulnerabilities. Organizations relying on the Homey theme for membership, booking, or community-based WordPress sites are particularly vulnerable to operational disruption. The vulnerability could be exploited to target specific users, including administrators if their accounts are accessible, thereby escalating the impact. Although no known exploits are currently in the wild, the ease of exploitation and the widespread use of WordPress themes make this a significant risk if left unmitigated.

1. Immediately restrict the ability to delete user accounts to trusted roles such as Administrators only, by modifying the theme code or using role management plugins. 2. Implement strict validation and authorization checks on the 'homey_delete_user_account' action to ensure the user requesting deletion owns the account or has explicit permission. 3. Monitor WordPress logs for suspicious account deletion attempts, especially from Subscriber-level users. 4. If possible, disable or remove the Homey theme until a patch is released. 5. Apply principle of least privilege to all user roles, minimizing the number of users with elevated permissions. 6. Regularly back up user data to enable recovery from unauthorized deletions. 7. Engage with Fave Themes or the WordPress community to track patch releases and apply updates promptly. 8. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block unauthorized deletion requests targeting this vulnerability.