CVE-2025-1327 - Vulnerability Details

- Homey - Booking and Rentals WordPress Theme <= 2.4.4 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Deletion

Description

The Homey theme for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.4 via the 'homey_delete_user_account' action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete other user's accounts.

Published: 2025-05-02

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Homey WordPress theme is vulnerable to an Insecure Direct Object Reference that allows authenticated users with Subscriber-level access or higher to delete other users’ accounts by exploiting the 'homey_delete_user_account' action. This denial of service to users can lead to data loss, user frustration, and potential cascading effects on any services relying on those accounts. The weakness stems from missing validation on a user‑controlled key, a classic case of CWE‑639: Authorization Bypass Through User‑Controlled Key.

Affected Systems

Affecting the Homey theme from Fave Themes, all versions through 2.4.4. Any WordPress installation that includes this theme without an update is exposed. The flaw exists regardless of WordPress core version, as it is built into the theme’s code.

Risk and Exploitability

With a CVSS score of 4.3, the flaw is of moderate severity. The EPSS score is under 1 %, indicating a low likelihood of exploitation, and it is not listed in the CISA KEV catalog. The attack can be performed by simply crafting a request to the deletion endpoint while authenticated as a Subscriber+, implying an authenticated IDOR that requires only basic access to the site’s admin interface.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Fave Themes

Homey

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.4.4

Configuration 1 [-]

cpe:2.3:a:favethemes:homey:*:*:*:*:*:wordpress:*:*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Homey theme to the latest release that fixes the missing validation on user-controlled keys.
If updating is not immediately feasible, modify the delete action to check for the 'manage_options' capability (or equivalent administrator-level capability) before proceeding with account deletion.
Configure logging or monitoring around the delete endpoint to detect and alert on any unauthorized account deletions, and review role permissions to ensure that Subscriber-level users cannot reach the delete functionality.

Generated by OpenCVE AI on April 21, 2026 at 21:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-13300	The Homey theme for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.4 via the 'homey_delete_user_account' action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete other user's accounts.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00168.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://themeforest.net/item/homey-booking-wordpress-theme/23338013
https://www.wordfence.com/threat-intel/vulnerabilities/id/38aa649c-e9d3-458b-b567-e2e751aaca00?source=cve

History

Tue, 06 May 2025 15:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Favethemes Favethemes homey
CPEs		cpe:2.3:a:favethemes:homey::::::wordpress::*
Vendors & Products		Favethemes Favethemes homey

Fri, 02 May 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 02 May 2025 03:45:00 +0000

Type	Values Removed	Values Added
Description		The Homey theme for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.4 via the 'homey_delete_user_account' action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete other user's accounts.
Title		Homey - Booking and Rentals WordPress Theme <= 2.4.4 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Deletion
Weaknesses		CWE-639
References		https://themeforest.net/item/homey-booking-wordpress-theme/23338013 https://www.wordfence.com/threat-intel/vulnerabilities/id/38aa649c-e9d3-458b-b567-e2e751aaca00?source=cve
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Favethemes Homey

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-05-02T03:21:18.862Z

Updated: 2026-04-08T16:46:34.880Z

Reserved: 2025-02-14T23:56:28.612Z

Link: CVE-2025-1327

Vulnrichment

Updated: 2025-05-02T14:54:00.493Z

NVD

Status : Analyzed

Published: 2025-05-02T04:15:46.760

Modified: 2025-05-06T15:29:09.143

Link: CVE-2025-1327

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T21:00:36Z

Weaknesses

CWE-639

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object