PT-2025-10028 · WordPress · Homey

István Márton

Published

2025-03-07

Updated

2025-03-12

CVE-2025-0749

CVSS v3.1

8.1

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Homey theme for WordPress versions up to and including 2.4.3

Description The issue allows for authentication bypass due to the verification id value being set to empty and a missing not empty check in the dashboard user profile page. This enables unauthenticated attackers to log in to the first verified user.

Recommendations For versions up to and including 2.4.3, update to a version that includes the necessary checks to prevent authentication bypass, specifically ensuring that the verification id value is properly validated.

Fix

Authentication Bypass Using an Alternate Path or Channel

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-288

Related Identifiers

CVE-2025-0749

Affected Products

Homey

PT-2025-10028 · WordPress · Homey

CVE-2025-0749

Weakness Enumeration

Related Identifiers

Affected Products

References · 9