{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-1327", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-02-14T23:56:28.612Z", "datePublished": "2025-05-02T03:21:18.862Z", "dateUpdated": "2026-04-08T16:46:34.880Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:46:34.880Z"}, "affected": [{"vendor": "Fave Themes", "product": "Homey", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.4.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Homey theme for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.4 via the 'homey_delete_user_account' action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete other user's accounts."}], "title": "Homey - Booking and Rentals WordPress Theme <= 2.4.4 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/38aa649c-e9d3-458b-b567-e2e751aaca00?source=cve"}, {"url": "https://themeforest.net/item/homey-booking-wordpress-theme/23338013"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ayoub Nouri"}], "timeline": [{"time": "2025-05-01T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-02T14:53:54.664719Z", "id": "CVE-2025-1327", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-02T14:54:05.808Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1327", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-02T14:53:54.664719Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-02T14:54:00.493Z"}}], "cna": {"title": "Homey - Booking and Rentals WordPress Theme <= 2.4.4 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Ayoub Nouri"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "Fave Themes", "product": "Homey", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.4.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-05-01T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/38aa649c-e9d3-458b-b567-e2e751aaca00?source=cve"}, {"url": "https://themeforest.net/item/homey-booking-wordpress-theme/23338013"}], "descriptions": [{"lang": "en", "value": "The Homey theme for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.4 via the 'homey_delete_user_account' action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete other user's accounts."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:46:34.880Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1327", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:46:34.880Z", "dateReserved": "2025-02-14T23:56:28.612Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-05-02T03:21:18.862Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:favethemes:homey:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "9407FACC-67ED-4842-B1C4-228A371821D5", "versionEndExcluding": "2.4.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Homey theme for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.4 via the 'homey_delete_user_account' action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete other user's accounts."}, {"lang": "es", "value": "El tema Homey para WordPress es vulnerable a una Referencia Directa a Objetos Insegura en todas las versiones hasta la 2.4.4 incluida, mediante la acci\u00f3n 'homey_delete_user_account', debido a la falta de validaci\u00f3n en una clave controlada por el usuario. Esto permite que atacantes autenticados, con acceso de suscriptor o superior, eliminen las cuentas de otros usuarios."}], "id": "CVE-2025-1327", "lastModified": "2025-05-06T15:29:09.143", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-05-02T04:15:46.760", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://themeforest.net/item/homey-booking-wordpress-theme/23338013"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/38aa649c-e9d3-458b-b567-e2e751aaca00?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-639"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T21:00:13.618525+00:00", "value": {"mitigation_remediation": ["Update the Homey theme to the latest release that fixes the missing validation on user-controlled keys.", "If updating is not immediately feasible, modify the delete action to check for the 'manage_options' capability (or equivalent administrator-level capability) before proceeding with account deletion.", "Configure logging or monitoring around the delete endpoint to detect and alert on any unauthorized account deletions, and review role permissions to ensure that Subscriber-level users cannot reach the delete functionality."], "summary": {"action": "Patch Now", "impact": "Arbitrary user account deletion"}, "threat_synthesis": {"affected_systems": "Affecting the Homey theme from Fave Themes, all versions through 2.4.4. Any WordPress installation that includes this theme without an update is exposed. The flaw exists regardless of WordPress core version, as it is built into the theme\u2019s code.", "description_and_impact": "The Homey WordPress theme is vulnerable to an Insecure Direct Object Reference that allows authenticated users with Subscriber-level access or higher to delete other users\u2019 accounts by exploiting the 'homey_delete_user_account' action. This denial of service to users can lead to data loss, user frustration, and potential cascading effects on any services relying on those accounts. The weakness stems from missing validation on a user\u2011controlled key, a classic case of CWE\u2011639: Authorization Bypass Through User\u2011Controlled Key.", "risk_and_exploitability": "With a CVSS score of 4.3, the flaw is of moderate severity. The EPSS score is under 1\u202f%, indicating a low likelihood of exploitation, and it is not listed in the CISA KEV catalog. The attack can be performed by simply crafting a request to the deletion endpoint while authenticated as a Subscriber+, implying an authenticated IDOR that requires only basic access to the site\u2019s admin interface."}}}}, "created": "2026-04-21T21:00:36.015084+00:00", "updated": "2026-04-21T21:00:36.015100+00:00", "vendors": []}